Monday, February 25, 2008

Implementing a self-signed certificate

It is a must to be able to generate certificates in order to test various security scenarios like running HTTP over SSL, message signing and/or encryption.

The .Net Framework SDK is shipped with a command line tool makecrt.exe that can create a self-signed certificate. This certificate can then be used on a developer's workstation or testing server.

Note: This should not be used for Production purposes. You can buy certificates from various entities.

The following command can be used to create a self-signed SSL test certificate:

makecert -r -pe -n "CN=www.yourserver.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12


To install this certificate in IIS (5.x, 6.0), open the IIS Management console:

  • Right-click on your site (e.g. Default site) and select Properties
  • Open the tab "Directory Security"
  • Click the "Server Certificate..." button, pass the first screen of the wizard
  • Choose "Assign an existing certificate"
  • Select the newly generated certificate from the list and click Next until the end of the wizard
SSL is now enabled in IIS!

Note: Older versions of makecert.exe do not support the "-pe" option, which makes the private key exportable. If you have an old version of makecert.exe, you can omit the "-pe" option, but then the certificate cannot be exported including the private key.


The testing certificate above is also known as self certificate. Self certificates are not "trusted" by your computer or browser, which maintains a list of trusted authorities.

A certificate issued by a trusted authority is a trusted certificate.

When using a testing certificate, you will get security warning in your browser warning you that the certificate is not a trusted one. Moreover, if you force SSL on your VS.Net project you may not be able to open it if it uses a testing certificate.

The only way to get around these issues is to add your testing certificate to the list of trusted authorities.

  • Open a command prompt and run the MS Management Console by typing mmc and enter
  • Click File and Add/Remove Snap-in
  • Click the Add button and choose Certificates
  • Choose "Computer Account"
  • Select the local computer
  • Open the Personal \ Certificates
  • Copy your testing certificate to Trusted Root Certification Authorities \ Certificates (Drag and Drop + Ctrl key)
UPDATE: IIS7 offers a new feature to create self-signed certificate easily. The only issue is that you cannot set all the certificate properties.
Publié par à l'adresse
Libellés : , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)