Here's my situation:
I'm trying to create a SSL certificate that will be installed on all developer's machine's, along with two internal servers (everything is non-production).
What do I need to do to create a certificate that can be installed in all of these places?
Right now I've got something along these lines, using the makecert application in Microsoft Visual Studio 8\SDK\v2.0\Bin:
makecert -r -pe -n "CN=MySite.com Dev" -b 01/01/2000 -e 01/01/2033 -eku 1.3.6.1.5.5.7.3.1 -ss Root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mycert.cer
However, I'm not sure as to how to place this .cer file on the other computers, and when I install it on my local machine IIS, everytime I visit a page via https:, I get the security prompt (even after I've installed the certificate). Has anyone done this before?
-
Here are my scripts for doing this:
Create Certificate Authority
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
Create Server Certificate
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv server.pvk server.cer pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
You then use the .PFX file in your server app (or install it in IIS). Note that, by default,
pvk2pfx
doesn't apply a password to the output PFX file. You need to use the-po
switch for that.To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility.
To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.
John : Here's where I'm stuck: How do you install the .PFX file in IIS?John : I should qualify that: I can get it to work if I go into the certificate snap-in and import it to the personal folder... but is there a way to do that without going through that process? when I just double click on it and try that, it doesn't actually put the certificate in the folderDscoduc : I got tired of writing out the command syntax and wrote a wrapper to simplify the effort. Have a glace here: http://www.dscoduc.com/post/2008/12/19/Certificate-Generation-Made-Easy.aspxTigran : I'm following these steps and am able to create the pfx file however when I try to import the pfx file into IIS7 it says "The specified network password is not correct." Do you know how I can get it to import? ThanksTigran : Followup I just didn't enter anything for password and it imported it.Chris S : @dscoduc nice tool, for Win7 it needs masty's argument (-cy authority)Chris S : **For IIS7** this as easy as going to the IIS MMC -> server certificates -> right click -> create self signed certificate. Then add it to your site bindings. -
You should add
-cy authority
to the switches when creating the cert authority, otherwise some cert stores won't see it as a proper CA.
0 comments:
Post a Comment