Coupon code copied
Server Intellect
(855) 850-HOST

Toll Free 24/7/365        (4678)

Get help from a Microsoft Certified Engineer.

Intellect Connect

Technical problem with your Windows Hosting?

Let our Microsoft Certified experts handle the problem for you.

How to Create a Self-Signed SSL Certificate

Typically, Secure Socket Layer (SSL) Certificates are created for domains by first generating a Certificate Signing Request (CSR) through Internet Information Services (IIS), sending the request to a known Certification Authority, such as GeoTrust, which generates a corresponding Certificate file for use in conjunction with the CSR, completing the request and securing communications on the domain.

However, IIS does come with the ability to create a ‘self-signed’ certificate, in which the server generating the CSR also generates the corresponding Certificate file. These are mainly used for testing, development and troubleshooting, as the certificate will only be recognized as valid by the server it is hosted on. Attempting to view the secured domain externally would receive an error that the certificate is not valid, as it has not been approved nor is recognized by a known Certification Authority.

Step 1

To create a self-signed SSL certificate for any hosted domain on your server, you will first need to download and install the SSL Diagnostics Kit v1.1, which can be obtained free of charge from Microsoft via the following URL:

SSL Diagnostics Version 1.1 (x86)

Given the option to either Run or Save the file, choose ‘Save‘.

kb-self-ssl-001

Step 2

For now, let’s save the file to the desktop. Click ‘Save‘ again.

kb-self-ssl-002

Step 3

Once the download is complete, double-click the icon to begin the installation.

kb-self-ssl-003

Step 4

Click ‘Next‘ on the initial window.

kb-self-ssl-004

Step 5

Click the option to accept the terms of the License Agreement, and click ‘Next‘.

kb-self-ssl-005

Step 6

Enter your desired Name and Company information, and click ‘Next‘.

kb-self-ssl-006

Step 7

The next screen will provide options for which type of installation you prefer. You can click ‘Complete‘ to install the Diagnostics.

kb-self-ssl-007

Step 8

You are now ready to install the diagnostics. Click ‘Install‘.

kb-self-ssl-008

Step 9

When the installer confirms it has completed, click ‘Finish‘.

kb-self-ssl-010

Step 10

Now, we need to get some information from IIS before we can generate the self-signed certificate. Open IIS by navigating to ‘Start –> Administrative Tools –> Internet Information Services (IIS) Manager’.

kb-self-ssl-011

Step 11

Once IIS is open, expand the Server Name, then click on the ‘Web Sites‘ folder. This will bring up a list of all web sites on the server in the right-hand pane. You will notice that each site has a unique number assigned to it under the ‘Identifier‘ column. This is the number which we need in order to create the self-signed certificate. As you can see, the Identifier for ‘example.com‘ is 957.

kb-self-ssl-012

Step 12

Next, we need to open a DOS Prompt. You can do this by navigating to ‘Start –> Run’, typing ‘CMD‘, and clicking OK.

kb-self-ssl-013

Step 13

Once the DOS prompt is open, we will need to navigate to the directory where the SSL Diagnostic Toolkit is located. This directory is ‘C:\Program Files\IIS Resources\SSLDiag’. To navigate to this directory, at the DOS prompt, enter the following command:

cd C:\Program Files\IIS Resources\SSLDiag

The ‘cd’ command stands for Change Directory. Press Enter once the command is typed in, and the prompt will bring you right to the directory, as seen below.

kb-self-ssl-014

Step 14

Now, we need to enter the command which will actually create the certificate. The base command to create the certificate is ‘ssldiag /selfssl‘, however command requires certain parameters for the certificate to be successfully created. These parameters are as follows:

  • /N: – This specifies the common name of the certificate. The computer name is used if there is no common name specified.
  • /K: – This specifies the key length of the certificate. The default is length 1024.
  • /V: – This specifies the amount of time the certificate will be valid for, calculated in days. The default setting is seven days.
  • /S: – This specifies the Identifier of the site, which we obtained earlier. The default will always be 1, which is the Default Web Site in IIS.

Let’s use the following command to create a self-signed certificate for ‘example.com‘ which is valid for two years, using a common name of ‘www.example.com‘, a key length of 1024:

ssldiag /selfssl /N:CN=example.com /K:1024 /V:730 /S:957

kb-self-ssl-015

Step 15

Once you have set the parameters to your preference, enter the command into the DOS prompt, and press Enter. After pressing Enter, the DOS prompt will simply move to the next line.

kb-self-ssl-016

Step 16

Now, we can check IIS and verify the certificate is now in place. Using the steps outlined above, navigate back to IIS, right-click on the domain, and choose ‘Properties‘.

kb-self-ssl-017

Step 17

Inside the Properties window, click on the ‘Directory Security tab.

kb-self-ssl-018

Step 18

On the Directory Security tab, under the ‘Secure Communications‘ heading, click on the ‘View Certificate‘ button, as it is now enabled.

kb-self-ssl-019

Step 19

This windows confirms the certificate has been successfully installed. Note the ‘Issued By‘ field, as typically the issuer would be a known Certification Authority, such as GeoTrust, however here the issuer is ‘example.com‘. This confirms the certificate is self-signed. Click OK to close the window.

kb-self-ssl-020

You can now view the site on the server under a secure heading. Again, please note that as the certificate is self-signed, and does not have a matching Root Certificate from a Certification Authority, attempting to view the site under a secure heading from an external location will cause a certificate error. Self-signed certificates should only be used for testing and development, and under no circumstances should be substituted for a CA-approved SSL Certificate.

If you have any questions regarding this process, or would like to request assistance, please don’t hesitate to contact our Technical Support Department, and they will be more than happy to assist you.

Interested in letting our experts solve your IT problems for you?
Get a free, no-obligations consultation with one of our experts today!

Call us at (855) 850-HOST

Contact

Start Your Order

X

This form does not accept free e-mail accounts. Please enter a business e-mail to submit it.

Submit Form Cancel

Please wait...

Submitting your info. This may take less than a minute.