Self-Signed IIS SSL Certificates using OpenSSL
This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0
1. Set up your CA (you only have to do this once)
ON THE LINUX BOX...
* Create a private key
openssl genrsa -des3 -out CA.key 1024
(You'll need to supply a passphrase. DON'T FORGET THIS!!)
* Set this to read-only for root for security
chmod 400 CA.key
* Create the CA certificate
openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
(Provide appropriate responses to the prompts...for Common Name, you might want to use something like "OurCompany CA")
* Set the certificate to read-only for root for security
chmod 400 CA.crt
2. Obtain a CSR
ON THE IIS BOX...
* Open the Internet Manager
* Select the site for which you want to create a key
* Right-click and choose Properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Follow the prompts to create a CSR
* Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we'll refer to your CSR as "new.csr")
3. Sign the CSR
ON THE LINUX BOX...
* Sign the CSR (all of this on one line)
openssl x509 -req -days 365 -in new.csr -CA CA.crt
-CAkey CA.key -CAcreateserial -out new.crt
* Transfer the new.crt file back to the IIS box
4. Install self-signed certificate
ON THE IIS BOX...
* Open the Internet Manager
* Select the site to install the key
* Right-click and choose properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Specify that you want to complete the pending request
* Select the .crt file that you just transferred
That's it!
Now...here's the updated info, with special thanks to David MacKenzie:David's comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable--thanks! (I found them by google.) There's one subtlety I'd like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn't connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I'm using Windows 2000 SP3 and Exchange 2000 SP3.
1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
ON THE IIS BOX...
* Open Internet Explorer
* Tools>Internet Options
* Content tab
* Certificates
* Import
* Next
* Browse
* Files of type: X.509 Certificate (*.cer, *.crt)
* Select CA.crt
* Open
* Next
* Next
* Finish
2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
ON THE IIS BOX...
* Open Internet Services Manager
* Right-click on exchange>Default Web Site>Exadmin
* Properties
* Directory Security tab
* Secure communications Edit
* Uncheck Require secure channel (SSL)
* OK
* OK
hello, I tried to setup IIS4 with this explanation but my browsers shows "The page can not be show". And I have a page cofigured.
Can u help me?
thanks
Oops, make that "I didn't need to follow any of David's suggestions". That's what I get for quickly scanning the last bit your article!
Posted by: chris at May 26, 2005 07:51 PMYou just saved me a ton of Googling for an answer to this. My cert was set to expire tomorrow and another answer I found mentioned installing Certificate Server 2.0. It took me literally 5 minutes to get a certificate created and installed on my OWA box following your directions. I don't use public folders so I didn't need to follow any of MoMo's suggestions.
Thanks again for posting this and for somehow making it on the first page of my Google search! :)
-chris
Posted by: chris at May 26, 2005 07:50 PM