Bannister Lake does not provide certificates. If you need a certificate to enable HTTPS on your server there are a number of options available. You can review these and decide what best suits your environment and needs.
If your site is public facing and available via the internet you will need a certificate from a signing authority. However if you are only accessing it via your local server network you can use a self-signed certificate.
Table of Contents | ||
---|---|---|
|
Self-Signed Certificates
You can create your own self-signed certificates using tools already available on your Windows server.
Note that self-signed certificates are not automatically trusted by other computers. To enable them to be trusted you need to export them from the server and install them on the client computers. See the section on how to copy certificates below.
You cannot renew a self-signed certificate. You can create a new one though
Using Windows PowerShell Command Line
...
Then this command script can be used to create a new self-signed certificate that can be used with localhost or the machine name in the URL and add it to the Trusted Root store. It will expire in 1 year from creation.
Code Block | language | powershell
---|
$cert = New-SelfSignedCertificate -FriendlyName "LocalSelfCert2019" -DnsName $env:COMPUTERNAME, "localhost" -CertStoreLocation "cert:\LocalMachine\My" $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine $rootStore.Open("MaxAllowed") $rootStore.Add($cert) $rootStore.Close() |
...
For documentation of the New-SelfSignedCertificate command see: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Thanks to https://vcsjones.com/2013/11/08/making-a-self-signed-ssl-certificate-and-trusting-it-in-powershell/ for main ideas of this the majority of the code in this powershell scriptlet.
Using IIS Manager
...
The certificate generated in this way will reference the machine name and the URL used to access it must then use the machine name (not localhost) - example: https://bl-asus-2014-a/chameleon/
Launch IIS Manager
Navigate to the server for which you want to create the certificate
In the Features view double-click the Server Certificates icon.
...
In the Actions pane click the Create Self-Signed Certificate
...
Type in a friendly name to identify the certificate that will be created.
Click OK.
Viewing Certificates
Look in the Certificates (Local Computer) - both the Personal and Trusted Root Certification Authorities folders to see the relevant certificates.
...
Using Microsoft Management Console
Open Microsoft Management Console. (Run command
mmc.exe
)find Run from the start menu or screen and type in
mmc
, then hit Enter.
Select File, and click Add/Remove Snap-in…
Select the Certificates snap-in, and click Add.
Select Computer account, and click Next.
Select Local computer, and click Finish.
Click OK.
Using IIS
You can also view some of the installed certificates using IIS Manager.
Select the machine name in the connections panel on the left.
Look for the Server Certificates icon in the IIS settings section in the middle panel.
...
Double-click to open a list certificates available to IIS.
Copying and Trusting Certificates on Client Machines
...
Export the Generated Certificate
View the certificate list (see above section)
In the left pane, expand Certificates (Local Computer).
Expand the Personal node, and click Certificates.
Right-click on the newly created certificate, select All Tasks, and click Export…
The Certificate Export Wizard will open. Click Next to continue.
Verify No, do not export the private key is selected, and click Next.
Verify DER encoded binary is selected, and click Next.
Specify a file name with .CER extension, and click Next.
Click Next.
Click Finish.
Import the Generated Certificate
On the client machine open the Certificate Manager Console (as per above in Viewing Certificates)
Expand the Trusted Root Certification Authorities folder, then right-click the Certificates folder, and select All Tasks > Import.
Use the certificate file you copied from the server.
Signing Authorities
There are a number of options for public signing authorities. A couple ideas are mentioned below.
Let’s Encrypt
You can get a certificate for free and automate it’s creation and renewal using Let’s Encrypt and related tools such as
Certify https://certifytheweb.com/
Windows ACME Simple (WACS) https://github.com/PKISharp/win-acme
ACMEShart ACMESharp https://github.com/ebekker/ACMESharp
Commercial Certificates
You can also purchase certificates from other traditional existing Certificate Authorities. Simply do an internet search for: “ssl certificate” using google.
...