How to create a self-signed SSL Certificate

Typically, Secure Socket Layer (SSL) Certificates are created for domains by first generating a Certificate Signing Request (CSR) through Internet Information Services (IIS), sending the request to a known Certification Authority, such as GeoTrust, which generates a corresponding Certificate file for use in conjunction with the CSR, completing the request and securing communications on the domain.

However, IIS does come with the ability to create a 'self-signed' certificate, in which the server generating the CSR also generates the corresponding Certificate file. These are mainly used for testing, development and troubleshooting, as the certificate will only be recognized as valid by the server it is hosted on. Attempting to view the secured domain externally would receive an error that the certificate is not valid, as it has not been approved nor is recognized by a known Certification Authority.

To create a self-signed SSL certificate for any hosted domain on your server, you will first need to download and install the SSL Diagnostics Kit v1.1, which can be obtained free of charge from Microsoft via the following URL:

SSL Diagnostics Version 1.1 (x86)

Given the option to either Run or Save the file, choose 'Save'.

For now, let's save the file to the desktop. Click 'Save' again.

Once the download is complete, double-click the icon to begin the installation.

Click 'Next' on the initial window.

Click the option to accept the terms of the License Agreement, and click 'Next'.

Enter your desired Name and Company information, and click 'Next'.

The next screen will provide options for which type of installation you prefer. You can click 'Complete' to install the Diagnostics.

You are now ready to install the diagnostics. Click 'Install'.

When the installer confirms it has completed, click 'Finish'.

Now, we need to get some information from IIS before we can generate the self-signed certificate. Open IIS by navigating to 'Start --> Administrative Tools --> Internet Information Services (IIS) Manager'. 

Once IIS is open, expand the Server Name, then click on the 'Web Sites' folder. This will bring up a list of all web sites on the server in the right-hand pane. You will notice that each site has a unique number assigned to it under the 'Identifier' column. This is the number which we need in order to create the self-signed certificate. As you can see, the Identifier for 'example.com' is 957.

Next, we need to open a DOS Prompt. You can do this by navigating to 'Start --> Run', typing 'CMD', and clicking OK.

Once the DOS prompt is open, we will need to navigate to the directory where the SSL Diagnostic Toolkit is located. This directory is 'C:\Program Files\IIS Resources\SSLDiag'. To navigate to this directory, at the DOS prompt, enter the following command:

cd C:\Program Files\IIS Resources\SSLDiag

The 'cd' command stands for Change Directory. Press Enter once the command is typed in, and the prompt will bring you right to the directory, as seen below.

Now, we need to enter the command which will actually create the certificate. The base command to create the certificate is 'ssldiag /selfssl', however command requires certain parameters for the certificate to be successfully created. These parameters are as follows:

• /N: - This specifies the common name of the certificate. The computer name is used if there is no common name specified.
• /K: - This specifies the key length of the certificate. The default is length 1024.
• /V: - This specifies the amount of time the certificate will be valid for, calculated in days. The default setting is seven days.
• /S: - This specifies the Identifier of the site, which we obtained earlier. The default will always be 1, which is the Default Web Site in IIS.

Let's use the following command to create a self-signed certificate for 'example.com' which is valid for two years, using a common name of 'www.example.com', a key length of 1024:

ssldiag /selfssl /N:CN=example.com /K:1024 /V:730 /S:957

Once you have set the parameters to your preference, enter the command into the DOS prompt, and press Enter. After pressing Enter, the DOS prompt will simply move to the next line.

Now, we can check IIS and verify the certificate is now in place. Using the steps outlined above, navigate back to IIS, right-click on the domain, and choose 'Properties'.

Inside the Properties window, click on the 'Directory Security' tab.

On the Directory Security tab, under the 'Secure Communications' heading, click on the 'View Certificate' button, as it is now enabled.

This windows confirms the certificate has been successfully installed. Note the 'Issued By' field, as typically the issuer would be a known Certification Authority, such as GeoTrust, however here the issuer is 'example.com'. This confirms the certificate is self-signed. Click OK to close the window.

You can now view the site on the server under a secure heading. Again, please note that as the certificate is self-signed, and does not have a matching Root Certificate from a Certification Authority, attempting to view the site under a secure heading from an external location will cause a certificate error. Self-signed certificates should only be used for testing and development, and under no circumstances should be substituted for a CA-approved SSL Certificate.

If you have any questions regarding this process, or would like to request assistance, please don't hesitate to contact our Technical Support Department, and they will be more than happy to assist you.