How to easily setup an SSL connection on a Windows Server using SelfSSL.exe (testing only)

Article:HOWTO3442  |  Created: 2006-05-04  |  Updated: 2010-02-01  |  Article URL http://www.symantec.com/docs/HOWTO3442
Article Type
How To



Question
How can I setup an SSL certificate on a Windows 2003 IIS server?

Answer

Microsoft* has provided a free utility called selfssl.exe that will install a certificate on a Windows server. This utility is part of the Microsoft's IIS Resource Kit and is available for free from www.microsoft.com.

Run this utility from a DOS prompt (after changing the extension to .EXE), as shown. The utility is part of Microsoft’s IIS Resource Kit available for free.

selfssl /T /V:1000

The ‘/T’ puts the certificate in the "Trusted Certificates" list. The /V:1000 sets the certificate expiration date 1000 days from the day you run this. A certificate will be created and added to your NS automatically.

Modify your IIS default Web page settings to use a secure channel. The addition of the certificate can be turned on and off at will. To modify the IIS setting, start IIS Manager, expand the local computer entry on the left-hand pane, expand Web sites, right-click on the default web site and select Properties. A new window will open. Select the Directory Security tab and click the Edit button in the Secure Communications section. Check Require secure channel (SSL). Select Ignore client certificates, since we don't have one. Click OK a couple of times and close IIS Manager.

To test the certificate, access your server name using http and https:

http://localhost
https://localhost

The HTTP URL should tell you that you need to use a secure connection. The HTTPS URL should return the default IIS Web page (under construction or something like that). Once you’re through testing, reset the ISS setting to remove the requirement for a secure channel and everything should work normally with a HTTP connection.

Note: This technique is not suitable for production NS usage.  Additionally, the Altiris Agent requires that the Certificate Authority (which doesn't exist with selfssl.exe) that generated the SSL certificate be a member of the Trusted Root Authorities on each managed computer. In order for a client machine running the Altiris Agent to successfully connect over SSL, export the certificate you created on the NS server and import it into the Trusted Root Certification Authorities store on each client by using the MMC certificates snap-in.


Legacy ID



22404


Article URL http://www.symantec.com/docs/HOWTO3442


Terms of use for this information are found in Legal Notices