Terry : HTTPS for IIS

This page last changed on Oct 21, 2011 by terry.

HTTPS for IIS (self signed certificates)

SelfSSL (IIS 6.0 Resource Kit)

SelfSSL is included in the IIS 6 resource kit and there are several command line options for this tool, however in general you will only need to use three. Lets take a look;

SelfSSL.exe /N:CN=secure.example.com /V:365 /S:2

This command creates a certificate for use with a domain called secure.example.com as seen in the /N switch, with a validity period of 365 days as per the /V switch, and is finally implemented into IIS with the site ID of 2 as per the /S switch. Some things to keep in mind:

When using the /N switch be sure only to use the FQDN of the site you are wanting to create a certificate for. For instance if your webmail is located at secure.example.com/webmail you would still just use secure.example.com with the /N swtich.

Set the /V switch to the number of days you would like your certificate to be valid for before having to create a new certificate.

The /S switch specifies which site in IIS the certificate should be installed into. This is done by using the site ID value which you can obtain from your IIS manager

There is a catch with SelfSSL though. Unfortunately there is a long standing bug in the program that only allows one website to have SSL at a time. There is a workaround though which I've had success with:

  • Create certificate for first site
  • Export the certificate to a pfx file (IIS->directory security->server certificate wizard)
  • Create certificate for second site. First site's certificate should no longer work
  • Repeat steps 2 & 3 for each subsequent site, otherwise continue to step 5
  • Remove certificate from first site
  • Import pfx from step 2 using same wizard

This method is still quite clunky and in all honesty I would suggest not even looking twice at SelfSSL if you are using IIS 6 as SSLDiag is a much better tool.

SSLDiag (IIS Diagnostics Toolkit)

SSLDiag is included in the IIS Diagnostics Toolkit and is the recommended replacement for SelfSSL for creating self signed certificates as it does not have the bug as mentioned above.

SSLDiag.exe /s:1 /selfssl /n:CN=portal.au.oracle.com /v:365

With the exception of the /selfssl switch which instructs SSLDiag to sign the certificate it is producing, all the other switches are identical to SelfSSL which are explained above.

There is also a small catch with SSLDiag. If you are using IIS 7, SSLDiag will not create the https bindings for your site like SelfSSL does. This is the only advantage SelfSSL has over SSLDiag as far as I can see, which in reality isn't sufficient in my view to use a known buggy tool. All you have to do when using SSLDiag is manually create the bindings and link the correct certificate in your IIS 7 manager.