How to setup a standalone CA and issue out a self signed certificate for your website | JQiT Blog
post-template-default,single,single-post,postid-6185,single-format-standard,bridge-core-1.0.5,ajax_fade,page_not_loaded,,qode_grid_1300,footer_responsive_adv,qode-child-theme-ver-1.0.0,qode-theme-ver-18.1,qode-theme-bridge,wpb-js-composer js-comp-ver-6.0.2,vc_responsive

How to setup a standalone CA and issue out a self signed certificate for your website

How to setup a standalone CA and issue out a self signed certificate for your website

Public signed SSL certificate for website is easy and safe, like Godaddy and VeriSign, but sometimes you just want to test a website in your lab or staging environment or even save the money, creating a self-signed SSL certificate is more make sense.

There are two ways to creating a self-signed cert:

1. create a self-signed cert who issue itself: This way is simple and easy, but please beware that the certificate it issued itself, for security reason, this is not a best practice way. and you have to load the certificate to every signal device root certificate authority so your device can trust it

navigate to IIS


select the server certificates

create a self-signed certificate


fill in the friendly name and continue


Now you can see the certificate is list in the IIS certificate manager


Bind this certificate to the IIS website you want


Select the https 443 site and edit it




2. create a standalone CA=Certificate Authority to issue out the website certificate: this way is more make sense and secure, you use a CA to issue out your website certificate, and every single device need to load that root certificate into their root certificate authority to trust the website

Note: since it’s a standalone CA, it won’t impact any of your existing domain or CA environment, If you’d like to create your brand new own 2 tier PKI hierarchy for your organization, you can refer to here

Open server manager, add “Active Directory Certificate Services” role


Role Services=Certificate Authority

Setup Type=Standalone

CA Type=Root CA

Private Key=Create a new private key

Cryptography=default value

CA Name








Now create a certificate request for your website


Fill in the information for that certificate,This name must exactly match the external website name

Fill in the necessary information and Leave the “Cryptographic Service Provider Properties” to default value

Save to CSR.txt

Start->Administrative Tool->Certificate Authority


Locate the CSR.txt you just created

Navigate to “Pending Requests”

Right click on the certificate->All Tasks->Issue

Switch to “Issued Certificates”

Right click on the certificate->All Tasks->Export Binary Data

Save Binary data to a file


Save to a .cer file, like SSL.cer

Switch back to IIS

Click on “Complete Certificate Request”


Select the SSL.cer you just created


Bind the SSL to the website


The PKI certificate format may help you easy understand the different certificate type

Actually you can get your certificate in auto way if you create a certificate template and configured the certificate auto enrollment


OK, now how to load the certificate into your root certificate authority?

For PC and Server:

click on the Start menu->Run->MMC

Click on the File->Add/Remove Snap-in


Select “Certificates”, click on the “Add” button

Select “Computer Account”->Next->Local Computer->Finish


Switch to the “Trusted Root Certification Authorities->Certificates”

Right click on the blank area->All Tasks->Import


then browser the website, there’s should be no certificate security warning anymore

For Mobile Device:

1. Place the self-signed root.cer certificate into your website

Switch back to IIS->Application Pools->Add Application Pool


Name it to “rootcert”


Right click on “Default Web Site”->Add Application

Alias=rootcert, Application pool=rootcert, Physical path=C:inetpubwwwroot





Select the “rootcert”->Handler Mapping

Delete the “SecurityCertificate”

Click on the “explore” button on right side, copy the root.cer into this folder

Navigate to “MIME Types” in IIS


Click on “Add” on the right side actions bar

File name extension=.cer

MIME type=file/download


Now you can load the root certificate into your mobile device by open the URL: http:///rootcert/root.cer

The reason why we change the MIME Types and Delete the “SecurityCertificate” is because by default IIS can recognize .cer file, it will never prompt you to download the .cer file