Internet Sellout

Demand Unearned Rewards

Self-Signed Cerificates for IIS

yUsing expired certificates or any certificate that brings up a nag that the user has to ignore can be inconvenient, but worse, can get them in the habit of trusting things that should not be trusted. Doing a self-signed certificate potentially solves only the problem of the nag, it is still not as secure as a properly issued certificate from a certificate authority. Using IIS’s self signed certificate feature only generates certs for the current server name and there is no control over the details like expiration. Instead we can use a tool that comes with visual studio: ‘makecert’. But as of sometime in 2020, not entirely sure when it happened, possibly with Chromium Edge the Subject Alternative Name became mandatory and 'makecert' now is a fail.

Cool kids will probably be quite happy using OpenSSL, however you may have a hangover at this very moment and are not quite that ambitious.

Powershell to the rescue!

 

PS C:\WINDOWS\system32> $todaydt = Get-Date
PS C:\WINDOWS\system32> $years = $todaydt.AddYears(20)
PS C:\WINDOWS\system32> New-SelfSignedCertificate -dnsname darkempty.local,www.darkempty.local -notafter $years -CertStoreLocation cert:\LocalMachine\My -KeySpec KeyExchange

These commands will make a self certified SSL Cert for myserver.mydomain.com and puts it in the cert store for local machine/personal (my = personal) which is where iis will look for it. You will probably want to generate the cert on a dev box and then using the MMC snap in export the key with the private key, then copy the resulting pfx and install it on the box which you want to use it.

The -KeySpec KeyExchange is needed by SQL Server and you can manage the SQL Server cert in the SQL Server Configuration Manager (run as admin) starting with 2019. Also you can do -keyUsage KeyEncipherment,DigitalSignature,CrlSign,CertSign. Link to full learning: Learn New-SelfSignedCertificate

To make a browser trust this certificate, the user has to add this cert to the personal and the trusted root certificate store. This is not a best practice for any publicly reachable site. The best uses for this are intranet and development situations. Launch the MMC certificates snap-in and copy this new certificate from Personal into the Trusted Certificate Authorities store.

For Reference, this was the old makecert command:

makecert -r -pe -n "CN=myserver.mydomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048

notice the crazy long expiration date. Also the -eku flag can take comma delimited list so you can assign more than one purpose. -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.3 will give you server and code signing in one cert.

makecert is a utility that comes with Visual Studio and can be run from the Visual Studio command prompt.

Comments are closed