Install a Self Signed Certificate on IIS 6.0

A recent development project at work required that we test our application using a Secure Sockets Layer Certificate on our Windows 2003 Server prior to releasing the application to external beta. Two other developers had taken a stab at installing a certificate on our development server and were not able to get it configured right. When I was asked to take a look at it I was eager to see if I could crack the problem. Since this was an internal development server that is not accessible to the internet, my thought was to simply use the SelfSSL tool provided in the IIS 6.0 Resource Kit. After my initial attempt to follow the standard steps to achieve this I still wasn’t able to browse to our application with HTTPS. It took a bit of looking around before I had the ‘doh!” moment. Here are the steps I followed.

1. Download and install Internet Information Services (IIS) 6.0 Resource Kit.
2. Open the SelfSSL tool. Go to your Start Menu > ALL Programs > IIS Resources > SelfSSL

1. The help information for each command is displayed in the windows command prompt for you. To add the certificate to “Trusted Certificates” add the /T. Use the /S command to declare the site ID of the website you wish to install the certificate for if not the default site. An example of what I typed at the prompt:

>SelfSSL.exe /T /N:CN=SRVR2K3W1 /V:730 S:1555204354

1. Press Enter.
2. The confirmation question will display.

“Do you want to replace the SSL settings for site 1555204354 (Y/N)?”

1. Type Y.
2. You will see the confirmation message.

“The self signed certificate was successfully assigned to site 1555204354.

At this point the certificate is installed on your IIS server. When I went through this same process on another server I was able to simply browse to the site using HTTPS://servername/ with no issues. However, this site would not come up over HTTPS.

I wanted to look at the Certificates installed on the machine to make sure the certificate did install correctly so I opened the Microsoft Management Console (MMC) by going to Start > Run and typing ‘mmc’ and clicking OK.

From here I needed to access the Certificates Snap-in. The following steps will open the Certificates MMC Snap-in.

1. From the MMC Click File > Add/Remove Snap-in…
2. Click the Add Button in the lower left corner.
3. Select ‘Certificates’ from the standalone add-in list.
4. Click the Add Button in the lower right.
5. Select the Computer Account radio button and Click Finish.
6. The default Local Computer radio button should be selected in the next dialog box, so click Finish again.
7. Click Close on the Add Standalone Snap-in window.
8. Click OK on the Add/Remove Snap-in window.

Now you can view the certificates installed on your server using the tree view. The certificate I installed existed under “Personal > Certificates” as well as under “Trusted Root Certificates > Certificates.” and everything with the certificate checked out.

Why couldn’t I still browse the site using HTTPS then?

I opened the Event View to see if there were any errors being logged from the system and I do have an Event ID: 1114

One of the IP/Port Combinations for site ‘1555204354’ has already been configured to be used by another program. The other program’s SSL configuration will be used.

I wasn’t aware of any other program’s that should be using port 443 on this server, and after running netstat from the command prompt was not able to view any program’s using port 443. The thing I thought to check next was the IP addressed assigned to the website in the IIS properties since I knew we typically just accept he (All Unassigned) default option when creating our websites.

1. Open the Internet Information Services Manager.
2. Right-click the website you installed IIS for and click Properties.
3. Click the Advanced Button.

1. In the Advanced Website Identification Window select the ‘Default’ row and click the Edit button to open the dialog box to change the options.

After changing the IP Address from (All Unassigned) to the IP for the server, close all dialog boxes.

Now I opened up my browser and typed HTTPS://servername and whala! It worked. I receive the Internet Explorer 8 Untrusted certificate warning, but that’s to be expected as this is a self signed certificate from an untrusted source. After clicking continue to the website I’m able to browse our application over SSL.

References:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/IIS/993a8a36-5761-448f-889e-9ae58d072c09.mspx

http://codeforeternity.com/blogs/technology/archive/2008/02/15/creating-self-signed-ssl-certificates-on-iis-6-0-and-windows-server-2003.aspx