How to setup a standalone CA and issue out a self signed certificate for your website | JQiT Blog
6185
post-template-default,single,single-post,postid-6185,single-format-standard,bridge-core-1.0.5,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,qode-child-theme-ver-1.0.0,qode-theme-ver-18.1,qode-theme-bridge,wpb-js-composer js-comp-ver-6.0.2,vc_responsive

How to setup a standalone CA and issue out a self signed certificate for your website

How to setup a standalone CA and issue out a self signed certificate for your website

Public signed SSL certificate for website is easy and safe, like Godaddy and VeriSign, but sometimes you just want to test a website in your lab or staging environment or even save the money, creating a self-signed SSL certificate is more make sense.

There are two ways to creating a self-signed cert:

1. create a self-signed cert who issue itself: This way is simple and easy, but please beware that the certificate it issued itself, for security reason, this is not a best practice way. and you have to load the certificate to every signal device root certificate authority so your device can trust it

navigate to IIS

image

select the server certificates

create a self-signed certificate

image

fill in the friendly name and continue

image

Now you can see the certificate is list in the IIS certificate manager

image

Bind this certificate to the IIS website you want

image

Select the https 443 site and edit it

image

image

Done

2. create a standalone CA=Certificate Authority to issue out the website certificate: this way is more make sense and secure, you use a CA to issue out your website certificate, and every single device need to load that root certificate into their root certificate authority to trust the website

Note: since it’s a standalone CA, it won’t impact any of your existing domain or CA environment, If you’d like to create your brand new own 2 tier PKI hierarchy for your organization, you can refer to here

Open server manager, add “Active Directory Certificate Services” role

image

Role Services=Certificate Authority

Setup Type=Standalone

CA Type=Root CA

Private Key=Create a new private key

Cryptography=default value

CA Name

 

 

 

 

 

 

 

Now create a certificate request for your website

image

Fill in the information for that certificate,This name must exactly match the external website name

Fill in the necessary information and Leave the “Cryptographic Service Provider Properties” to default value

Save to CSR.txt

Start->Administrative Tool->Certificate Authority

image

Locate the CSR.txt you just created

Navigate to “Pending Requests”

Right click on the certificate->All Tasks->Issue

Switch to “Issued Certificates”

Right click on the certificate->All Tasks->Export Binary Data

Save Binary data to a file

image

Save to a .cer file, like SSL.cer

Switch back to IIS

Click on “Complete Certificate Request”

image

Select the SSL.cer you just created

 

Bind the SSL to the website

Done

The PKI certificate format may help you easy understand the different certificate type

Actually you can get your certificate in auto way if you create a certificate template and configured the certificate auto enrollment

 

OK, now how to load the certificate into your root certificate authority?

For PC and Server:

click on the Start menu->Run->MMC

Click on the File->Add/Remove Snap-in

image

Select “Certificates”, click on the “Add” button

Select “Computer Account”->Next->Local Computer->Finish

image

Switch to the “Trusted Root Certification Authorities->Certificates”

Right click on the blank area->All Tasks->Import

image

then browser the website, there’s should be no certificate security warning anymore

For Mobile Device:

1. Place the self-signed root.cer certificate into your website

Switch back to IIS->Application Pools->Add Application Pool

image

Name it to “rootcert”

image

Right click on “Default Web Site”->Add Application

Alias=rootcert, Application pool=rootcert, Physical path=C:inetpubwwwroot

 

 

 

image

Select the “rootcert”->Handler Mapping

Delete the “SecurityCertificate”

Click on the “explore” button on right side, copy the root.cer into this folder

Navigate to “MIME Types” in IIS

image

Click on “Add” on the right side actions bar

File name extension=.cer

MIME type=file/download

image

Now you can load the root certificate into your mobile device by open the URL: http:///rootcert/root.cer

The reason why we change the MIME Types and Delete the “SecurityCertificate” is because by default IIS can recognize .cer file, it will never prompt you to download the .cer file