Securing communications between internal server application and client computers

I have an application on a Windows server that needs to communicate with our client PCs over HTTPS on our internal network (via IIS 7 port 443). So, I'm trying to use OpenSSL for Windows to create a self signed certificate to accomplish this. In terms of commands, how do I go about creating a server-side and client-side certificate?

Currently, I just created a simple self signed cert on the server and installed that on the Server (and its Trusted CA) and then on the client (and its Trusted CA). Though, I don't think that's best practice to use the same in both places.

Here are the certificate requirements from the documentation...

The server-side TLS/SSL certificate must comply with the following requirements:
It must be valid for IIS.
It must be valid during the period in which you use it.
You must enable it for server authentication.
It must contain a private key.
The common name (CN) must match the name of the server exactly.
The same certificate authority that issued the client-side CA certificate must also issue the server-side certificate.
You must install it in the local computer personal certificate store of the server.

The client-side CA certificate must comply with the following requirements:
It must be in the .CER file format.
It must be valid during the period in which you use it.
It must be the root certificate of the same certificate authority that issued your server-side TLS/SSL certificate
2_under_parAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you don't need openssl windows has its own method of generating self signed keys.. the problem being with all self signed keys is that they are not trusted .. you have to export the public key and import it into the other machines trusted root store.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
2_under_parAuthor Commented:
Yes, I initially followed Microsoft's documentation on that, https://technet.microsoft.com/en-us/library/ff710475(v=ws.10).aspx. I then took that cert and installed it on both the Server's and Client's "Personal" and "Trusted Root..." folders in the Cert MMC snapin. Then, I binded it to the site in IIS 7 console on HTTPS. Again, I'm kinda ignorant to what's best practice here, so I kinda figured that procedure was ok for testing, but not for deploying to production. I was under the impression (perhaps misguided) that there needed to be some sort of difference (hash???...fingerprint???) between the server cert and the client cert.
0
David Johnson, CD, MVPOwnerCommented:
you really need a certificate authority this way you only need to import 1 certificate into the root store. If you are using client certs it will use the common name as the user id with the proviso that the server trusts the client certificate.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.