Google Answers Logo
Log in | Google Answers Home
View Question
Ask a Question
Q: Self-Signed Certificates for IIS ( No Answer,   4 Comments )
Question  
Subject: Self-Signed Certificates for IIS
Category: Computers > Security
Asked by: levsen-ga
List Price: $15.00
Posted: 14 Jun 2002 14:26 PDT
Expires: 15 Jun 2002 09:35 PDT
Question ID: 26084
Does anyone know how I can create a no-cost server certificate for IIS
(version 5.1) myself, using OpenSSL or something similar? I really
don't need a $1000 certificate from VeriSign or one of the other
crooks. I am not running a public server, I just want to use SSL to
keep my ISP from listening into my traffic and I know all my clients
(in the technical as well as the business sense), so I can just pass
the certificate around by floppy disk and people manually install it
in their Internet Explorers.

The stupid thing is I already managed to do it once by futzing around
with OpenSSL, I just can't reproduce it anymore. I remember that IIS
won't accept a self-signed certificate, so I'd have to create my own
root certificate first and then a second certificate for the server
and then sign the latter with the first.

Please give me complete instructions such as "type this and that" and
"then copy that file there" etc. Use a fictional servername like
"demo.com". I have an understanding of the concepts of RSA,
certificates and signatures but not the details such as file formats
and the tools involved, and I don't care.
Answer   Log in to add an answer
There is no answer at this time.

Comments   Log in to add a comment
Subject: Re: Self-Signed Certificates for IIS
From: poormattie-ga on 14 Jun 2002 17:25 PDT
 
I ran out of time to write this up, so someone gets a freebie. Here's
some good instructions for starters:

http://groups.google.com/groups?hl=en&lr=&safe=off&selm=9fm2on%242fh%241%40FreeBSD.csie.NCTU.edu.tw

I followed them step by step, and they are quite helpful so far.
Putting them in terms levsen wants ("type this and that") is mostly
what would need to be done.

Best of luck!
Subject: Re: Self-Signed Certificates for IIS
From: adamc-ga on 15 Jun 2002 01:26 PDT
 
If you're running Windows 2000 Server (which presumably you are if
you're running IIS 5), then you can install MS Certificate Services,
which will allow you to create your own certificates.

If Certificate Services is not already installed, go to Control Panel,
Add Remove Programs, Add/Remove Windows Components, and select
Certificate Services (you'll need all it's subcomponents).

This is how you start...   I'll let a Google researcher answer the
rest of the question in detail, but the only steps left are to create
a certificate and then set it up in IIS.
Subject: Re: Self-Signed Certificates for IIS
From: paco-ga on 15 Jun 2002 09:01 PDT
 
Most openssl distributions include CA.sh and CA.pl scripts.  They're
effectively the same thing, one in bourne shell, one in perl.  If you
don't have them, you can find them at:
http://web.mit.edu/crypto/share/openssl/misc/

If you have those scripts, it's a 3 step process that's really easy.
First: set up your dummy CA:
CA.sh -newca

Second: create a certificate signing request (CSR):
CA.sh -newreq

Last: sign the CSR with the CA:
CA.sh -sign

The certificate you'll have will have a private key that is password
protected.  You probably don't want that. The private key will be in
the newreq.pem file. Run this command to get rid of the password
protection:
openssl rsa -in newreq.pem -out private.key
Now you have an unencrypted private key in the fila named
"private.key"

Your CA certificate (which you'll want IIS and your web browser to
trust) will be in the demoCA directory under cacert.pem.

Here's another description of how to do all this:
http://www.octaldream.com/~scottm/talks/ssl/opensslca.html

The search terms I used to find that page were: openssl CA.sh

Regards,
Paco
Subject: Re: Self-Signed Certificates for IIS
From: levsen-ga on 15 Jun 2002 09:35 PDT
 
Ok this is cool. People have been very helpful with their comment.
Everything works now beautifully. (Some of the comments are not
visible anymore.) Thank you very much for your help. I am closing this
question now.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-editors@google.com with the question ID listed above. Thank you.
Search Google Answers for


Google Home - Answers Help & Tips - Answers FAQ - Terms of Service - Privacy Policy
©2005 Google