Bannister Lake does not provide certificates. If you need a certificate there are a number of options available. You can review these and decide what suits your environment and needs.
If your site is public facing and available via the internet you will need a certificate from a signing authority. However if you are only accessing it via your local server you can use a self-signed certificate.
Self-Signed Certificates
You can create your own self-signed certificates using tools already available on your Windows server.
Note that self-signed certificates are not automatically trusted by other computers. To enable them to be trusted you need to export them from the server and install them on the client computers. See the section on how to copy certificates below.
Using Windows PowerShell Command Line
Creating a self-signed certificate for you machine/localhost can be done using the Windows Powershell command line.
Start the Powershell as Administrator.
Then this command script can be used to create a new self-signed certificate that can be used with localhost or the machine name in the URL and add it to the Trusted Root store. It will expire in 1 year from creation.
$cert = New-SelfSignedCertificate -FriendlyName "LocalSelfCert2019" -DnsName $env:COMPUTERNAME, "localhost" -CertStoreLocation "cert:\LocalMachine\My" $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine $rootStore.Open("MaxAllowed") $rootStore.Add($cert) $rootStore.Close()
Notes
To have a certificate with a non-default expiry you can add a -NotAfter
parameter.
Example:
New-SelfSignedCertificate -DnsName $env:COMPUTERNAME, "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(24)
For documentation of the New-SelfSignedCertificate command see: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
Thanks to https://vcsjones.com/2013/11/08/making-a-self-signed-ssl-certificate-and-trusting-it-in-powershell/ for main ideas of this scriptlet.
Using IIS Manager
Creating a self-signed certificate for your machine using IIS Manager is quite easy to do. These steps will create a certificate based on your machine name.
The certificate generated in this way will reference the machine name and the URL used to access it must then use the machine name (not localhost) - example: https://bl-asus-2014-a/chameleon/
Launch IIS Manager
Navigate to the server for which you want to create the certificate
In the Features view double-click the Server Certificates icon.
In the Actions pane click the Create Self-Signed Certificate
Type in a friendly name to identify the certificate that will be created.
Click OK.
Viewing Certificates
Look in the Certificates (Local Computer) - both the Personal and Trusted Root Certification Authorities folders to see the relevant certificates.
If you have a certificate in the Personal folder and want to enable it to be trusted - copy it to the Trusted Root Certificate Authorities Certificate folder and then it will be trusted on that machine.
Using Certificate Manager
To view the list of available certificates in their stores you can use the Certificate Manager Console snap-in. In the windows start menu, search by typing cert
and Manage Computer Certificates from the Control Panel should display. Press enter.
Alternatively - find Run from the start menu or screen and type in certmgr.msc
, then hit Enter.
Using Microsoft Management Console
Open Microsoft Management Console. (Run command
mmc.exe
)find Run from the start menu or screen and type in
mmc
, then hit Enter.
Select File, and click Add/Remove Snap-in…
Select the Certificates snap-in, and click Add.
Select Computer account, and click Next.
Select Local computer, and click Finish.
Click OK.
Using IIS
You can also view some of the installed certificates using IIS Manager.
Select the machine name in the connections panel on the left.
Look for the Server Certificates icon in the IIS settings section in the middle panel.
Double-click to open a list certificates available to IIS.
Copying and Trusting Certificates on Client Machines
Self-signed certificates won’t be trusted by client machines until you add the certificate to the list of trusted certificates. To do so export it from the server and then import it on the client machine.
Export the Generated Certificate
View the certificate list (see above section)
In the left pane, expand Certificates (Local Computer).
Expand the Personal node, and click Certificates.
Right-click on the newly created certificate, select All Tasks, and click Export…
The Certificate Export Wizard will open. Click Next to continue.
Verify No, do not export the private key is selected, and click Next.
Verify DER encoded binary is selected, and click Next.
Specify a file name with .CER extension, and click Next.
Click Next.
Click Finish.
Import the Generated Certificate
On the client machine open the Certificate Manager Console (as per above in Viewing Certificates)
Expand the Trusted Root Certification Authorities folder, then right-click the Certificates folder, and select All Tasks > Import.
Use the certificate file you copied from the server.
Signing Authorities
Let’s Encrypt
You can get a certificate for free and automate it’s creation and renewal using Let’s Encrypt and related tools such as
Certify https://certifytheweb.com/
Windows ACME Simple (WACS) https://github.com/PKISharp/win-acme
ACMEShart https://github.com/ebekker/ACMESharp
Commercial Certificates
You can also purchase certificates from other traditional existing Certificate Authorities. Simply do an internet search for: “ssl certificate” using google.