SSL/TLS Certificates

If you need a certificate to enable HTTPS on your server there are a number of options available. You can review these and decide what best suits your environment and needs.

If your site is public facing and available via the internet you will need a certificate from a signing authority. However if you are only accessing it via your local network you can use a self-signed certificate.

 

Self-Signed Certificates

You can create your own self-signed certificates using tools already available on your Windows server.

Note that self-signed certificates are not automatically trusted by other computers. To enable them to be trusted you need to export them from the server and install them on the client computers. See the section on how to copy certificates below.

You cannot renew a self-signed certificate. You can create a new one though

Using Windows PowerShell Command Line

Creating a self-signed certificate for you machine/localhost can be done using the Windows Powershell command line.

Start the Powershell as Administrator.

Then this command script can be used to create a new self-signed certificate that can be used with localhost or the machine name in the URL and add it to the Trusted Root store. It will expire in 1 year from creation.

$cert = New-SelfSignedCertificate -FriendlyName "LocalSelfCert2019" -DnsName $env:COMPUTERNAME, "localhost" -CertStoreLocation "cert:\LocalMachine\My" $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList Root, LocalMachine $rootStore.Open("MaxAllowed") $rootStore.Add($cert) $rootStore.Close()

Notes

To have a certificate with a non-default expiry you can add a -NotAfter parameter.

Example:

New-SelfSignedCertificate -DnsName $env:COMPUTERNAME, "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(24)

For documentation of the New-SelfSignedCertificate command see: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

Thanks to https://vcsjones.com/2013/11/08/making-a-self-signed-ssl-certificate-and-trusting-it-in-powershell/ for the majority of the code in this powershell scriptlet.

Using IIS Manager

Creating a self-signed certificate for your machine using IIS Manager is quite easy to do. These steps will create a certificate based on your machine name.

The certificate generated in this way will reference the machine name and the URL used to access it must then use the machine name (not localhost) - example: https://bl-asus-2014-a/chameleon/

  1. Launch IIS Manager

  2. Navigate to the server for which you want to create the certificate

  3. In the Features view double-click the Server Certificates icon.

  4. In the Actions pane click the Create Self-Signed Certificate

  5. Type in a friendly name to identify the certificate that will be created.

  6. Click OK.

Viewing Certificates

Look in the Certificates (Local Computer) - both the Personal and Trusted Root Certification Authorities folders to see the relevant certificates.

If you have a certificate in the Personal folder and want to enable it to be trusted - copy it to the Trusted Root Certificate Authorities Certificate folder and then it will be trusted on that machine.

Using Certificate Manager

To view the list of available certificates in their stores you can use the Certificate Manager Console snap-in. In the windows start menu, search by typing cert and Manage Computer Certificates from the Control Panel should display. Press enter.

Alternatively - find Run from the start menu or screen and type in certmgr.msc, then hit Enter.

Using Microsoft Management Console

  1. Open Microsoft Management Console. (Run command mmc.exe)

    1. find Run from the start menu or screen and type in mmc, then hit Enter.

  2. Select File, and click Add/Remove Snap-in…

  3. Select the Certificates snap-in, and click Add.

  4. Select Computer account, and click Next.

  5. Select Local computer, and click Finish.

  6. Click OK.

Using IIS

You can also view some of the installed certificates using IIS Manager.

  1. Select the machine name in the connections panel on the left.

  2. Look for the Server Certificates icon in the IIS settings section in the middle panel.

  3. Double-click to open a list certificates available to IIS.

Copying and Trusting Certificates on Client Machines

Self-signed certificates won’t be trusted by client machines until you add the certificate to the list of trusted certificates. To do so export it from the server and then import it on the client machine.

Export the Generated Certificate

  1. View the certificate list (see above section)

  2. In the left pane, expand Certificates (Local Computer).

  3. Expand the Personal node, and click Certificates.

  4. Right-click on the newly created certificate, select All Tasks, and click Export…

  5. The Certificate Export Wizard will open. Click Next to continue.

  6. Verify No, do not export the private key is selected, and click Next.

  7. Verify DER encoded binary is selected, and click Next.

  8. Specify a file name with .CER extension, and click Next.

  9. Click Next.

  10. Click Finish.

Import the Generated Certificate

  1. On the client machine open the Certificate Manager Console (as per above in Viewing Certificates)

  2. Expand the Trusted Root Certification Authorities folder, then right-click the Certificates folder, and select All Tasks > Import.

  3. Use the certificate file you copied from the server.

Signing Authorities

There are a number of options for public signing authorities. A couple ideas are mentioned below.

Let’s Encrypt

https://letsencrypt.org/

You can get a certificate for free and automate it’s creation and renewal using Let’s Encrypt and related tools such as

Commercial Certificates

You can also purchase certificates from other traditional existing Certificate Authorities. Simply do an internet search for: “ssl certificate” using google.