4 steps to create free SSL certificate for development
Introduction and Goal
Step 1 :- Locate makecert.exe
Step 2:- Create the certificate
Step 3 :- Assign the certificate to the site
Step 4:- Test the site
Step 5 :- Find a nice restaurant
SSL diagnostic tool
There are times where we would like to have SSL enabled in our development environment. SSL certificates needs to be bought from places like Thawte, Verisign, GeoTrust etc. Typical cost of SSL certificate is shown below.
Once every 12 months
This means you also need to buy SSL certificate for your development server. This cost can double if you also setup of development and testing environment. So this article will save you 100$ atleast . Microsoft has provided ‘makecert.exe’ tool which helps us to create test certificates for our development environment.
Now a days I am distributing my 400 questions and answers eBook which covers major .NET related topics like WCF,WPF,WWF,Ajax,Core .NET,SQL Server,Architecture and lot lot more. I am sure you will enjoy this eBook.
The first thing is to locate makecert.exe. You can get the same from “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” or you can also get it from windows SDK.
Let’s run through what is “makecert.exe” and the explanation of different parameters. I admit this section I have shamelessly copied from http://msdn.microsoft.com/en-us/library/dd434713.aspx
MakeCert (Makecert.exe) is a command-line tool that creates an X.509 certificate that is signed by a system test root key or by another specified key. The certificate binds a certificate name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.
Below is a detail list of how to use make cert
MakeCert [/b DateStart] [/e DateEnd] [/m nMonths] [/n "Name"] [/pe] [/r] [/sc SubjectCertFile] [/sk SubjectKey] [/sr SubjectCertStoreLocation] [/ss SubjectCertStoreName] [/sv SubjectKeyFile] OutputFilePartial list of switches and arguments
Specifies the start date when the certificate first becomes valid. The format of DateStart is
If the /b switch is not specified, the default start date is the date when the certificate is created.
Specifies the end date when the certificate’s validity period ends. The format of DateEnd is
If the /e switch is not specified, the default end date is 12/31/2039.
Specifies the number of months starting from the start date during which the certificate will remain valid.
Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format.
If the /n switch is not specified, the default name of the certificate is "Joe's Software Emporium".
Configures MakeCert to make the private key that is associated with the certificate exportable.
Configures MakeCert to create a self-signed root certificate./sc SubjectCertFile
Specifies the subject's certificate file name along with the existing subject public key that is used.
Specifies the name of the subject's key container that holds the private key. If a key container does not exist, a new key container is created. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
Specifies the registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:
Specifies the registry location HKEY_CURRENT_USER.
Specifies the registry location HKEY_LOCAL_MACHINE.
If the /r switch is not specified along with the /s switch, currentUser is the default.
Specifies the name of the certificate store where the generated certificate is saved.
Specifies the name of the subject's .pvk file that holds the private key. If neither /sk nor /sv switch is entered, a default key container is created and used by default.
The name of the file in which the generated certificate is saved.
The second step is to create the certificate. You can type the below thing through your dos prompt on “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin”. Please note “compaq-jzp37md0” is the server name so you need to replace with your PC name.
makecert -r -pe -n "CN= compaq-jzp37md0 " -b 01/01/2000 -e 01/01/2050 -eku 220.127.116.11.18.104.22.168.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
If you run the same through your command prompt you should get a succeeded message as shown below.
Now it’s time to assign this certificate to your IIS website. So go to IIS properties , click on directory security tab and you should see server certificate tab.
So click on the server certificate tab and you will then be walked through a IIS certificate wizard. Click ‘Assign a existing certificate’ from the wizard.
You can see a list of certificates. The “compaq-jzp37md0” certificate is the one which we just created using ‘makecert.exe’.
Now try to test the site without ‘https’ and you will get an error as shown below….That means your certificate is working.
Now that you have saved 100$ find a nice restaurant to burn it…
There is a other easy way also using the SSL diagnostic tool. Download this tool from http://www.microsoft.com/downloads/details.aspx?familyid=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en and create new cert on the IIS application with just a click as shown below.
Image courtesy :- http://pranas.net/Tutorials/ssl/SSLDiagnostics.htm