Its fairly straight-forward, although tedious, to generate a
self-signed certificate using IIS although I'm not sure why you'd want
to... especially if you are planning on replacing it with a "real"
certificate later. Private certificates are useful for certain
applications, like protecting a corporate intranet, but they have a
number of limitations that prevent them from being used for the other
kinds of things that most people want to use SSL for. In particular,
you'll need to give everyone who you want to connect to your site a
copy of the certificate whether by e-mail or otherwise, which they
will then need to install into their browser before they can visit
your site. Obviously that is not practical if you intend your site to
be for public consumption. Even for testing purposes, it is much
easier just to purchase a certificate if you know that this is the
route you will eventually go. However, if you feel you have a use, and
you'd like to try it, I'm happy to give you a guide on what you need
to do to sign your own certificate.
First things first, you'll need to generate a Certificate Signing
Request. You can find the tool for generating a CSR for IIS under the
Internet Services Manager, which you will find in the Administrative
Tools folder on your start bar.
- From Internet Services Manager, select Default Website or the web
site you want to generate the certificate for, right click it and
select Properties.
- From the Properties dialog, select the Directory Security tab.
- Click the button that says Server Certificate. A wizard will appear.
Choose Create New Certificate and click Next.
- On the next screen, choose Prepare the Request Now and then click
Next.
- Follow the prompts on the next several pages to fill in your name,
domain name and other required information.
- After you fill in the required information, you will be prompted for
a file name to save the CSR to. Enter a file name and then complete
the wizard.
After you have generated the CSR, be sure to make a backup of the
private key. If you use this CSR to purchase a certificate, but you
lose the private key, you won't be able to use the certificate you
purchased so make sure you keep a copy somewhere safe.
To self-sign a certificate, you will either need makecert.exe, found
on the Platform SDK, or you will need to use Microsoft Certificate
Server. Microsoft recommends Certificate Server as the preferred
method. Assuming you already have Certificate Server installed, you
will need to complete the following steps:
- Open Internet Explorer and browse to http://servername/CertSrv, and
select Request a Certificate.
- Select Advanced Request and click Next.
- Choose Submit a Certificate Request Using a base64 encoded PKCS #10
file then click Next.
- Paste the entire contents of the CSR file--including the BEGIN and
END lines--into the Base64 Encoded Certificate Request box and click
Submit.
- Close your browser.
- On the Certificate Server computer, open the Certification Authority
MMC.
- Expand the tree underneath the server name, and choose Pending
Requests. Right-click your certificate, click All Tasks, and then
click Issue.
- Open your browser and browse to the certificate server again.
Choose Check on a Pending Certificate and click Next.
- Select your request, then click Next.
- Select DER encoded, then click the Download CA certificate link.
Save the certificate file to disk on your IIS server.
Once you've generated the test certificate, you'll need to install it
into your server in order to use it.
- Open Internet Information Services MMC, and again, right click on
the web site you wish to add the certificate to and click Properties.
- Select the Directory Security tab, then click Server Certificate.
This will open the wizard.
- Select Process the Pending Request and click Next.
- Enter the path and file name of the private certificate that you
created. Click Next until you finish the wizard.
- Click the Web Site tab, and make sure that the SSL Port text box is
set to 443 (or whatever alternate port you want SSL to run on) and
click OK.
That should get IIS up and running. After you've created your private
certificate, you will need to import it into Internet Explorer in
order to connect to your site using SSL:
- From the Tools menu, choose Internet Options
- Select the Content tab, then click the Certificate button.
From there, you will need to import the certificate. You may need to
import the certificate as a Trusted Root Certification Authority in
order for it to work properly.
As you guessed, a similar process is followed for systems running
Apache, with some variations depending on whether you're running
OpenSSL or mod_ssl components. Under OpenSSL, certificates can be
signed using the ca command. The complete process is rather lengthy,
but if you are interested, you can read more about one approach here:
Introducing SSL and Certificates using SSLeay
http://www.pseudonym.org/ssl/wwwj-index.html
I'm not 100% sure, but I do not believe that you can use the same CSR
to generate a private certificate and purchase a certificate. I
believe that you need to generate a new CSR. When you decide to
purchase a certificate, you should ask the service from whom you
purchase the certificate what you should do. They will be able to
advise you on the correct approach.
I hope this answers your question. If you need any further
clarification, do not hesitate to ask.
Good luck with your project,
-Spot
Generating a Certificate Signing Request (CSR) using IIS 5.x
http://certs.centurywebdesign.co.uk/support/csr_generation/iis5.html
Generating a Key Pair and CSR for Microsoft IIS 5.0
http://www.ssl.com/support/iis50.jsp
HOWTO: Set Up SSL Using IIS 5.0 and Certificate Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;299525
HOW TO: Configure SSL in a Windows 2000 IIS 5.0 Test Environment by
Using Certificate Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;290625#4
Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and
Digital Certificates
http://msdn.microsoft.com/msdnmag/issues/01/04/SSL/default.aspx
How to use makecert.exe to create a self-signed test certificate
http://www.inventec.ch/chdh/notes/14.htm
Introducing SSL and Certificates using SSLeay
http://www.pseudonym.org/ssl/wwwj-index.html
Search Strategy:
certificate signing request iis
://www.google.com/search?q=certificate+signing+request+iis&hl=en&lr=&ie=ISO-8859-1
"private certificate" iis
://www.google.com/search?q=%22private+certificate%22+iis&hl=en&lr=&ie=UTF-8&start=10&sa=N |
Request for Answer Clarification by
xn1-ga
on
03 May 2003 10:55 PDT
Hi Spot,
Sorry, it's going to take a bit of time to go thru this. I can't get
certificate server to work. I can't locate my MSDN disks to reload
it. I downloaded makecert.exe but I'm still confused about all the
options and how to feed it my csr.txt file on the certificate signing
machine for the website hosting machine. It seems the private key
would be generated/issued after the signing and that 'test
certificate' would include it, so I'm a little confused about what you
said.
Also, for the test certificate, don't most browsers put up a warning
and permit you to use the untrusted key so why couldn't you use it for
the public?
And if I use makecert, what exported file would I distribute to others
in my 'intranet' group?
Ideally, I'd like to be a 'certificate authority' for all the
webservices in our intranet. I'd like to distribute 1 private
certificate and have all our ssl'd websites not come up with that
warning. Is there a way I can accomplish that with just makecert?
With all these diversions/interruptions, I'll proabably need another
week (at least) to figure all this out - to see if I can get the
signing and installations to work.
Thank you very much for the references and instructions already
provided.
|
Clarification of Answer by
spot_tippybuttons-ga
on
05 May 2003 21:10 PDT
Hi,
I apologize for taking so long in getting back with you. I was away
from home this
weekend and did not get back to my computer until now.
I'm going to try to break down your clarification request into
sections so that it's
a little more manageable, and so that I can explain things in an order
that should hopefully be easier to follow.
**********************************************************************
Q: "Also, for the test certificate, don't most browsers put up a
warning and permit you to use the untrusted key so why couldn't you
use it for the public?"
A: Yes, most current browsers do. I believe some of the information I
originally supplied you was somewhat out of date, and I apologize if
I've caused any unnecessary confusion. I've double checked my facts
with my brother, who writes SSL applications for a living, and this is
how it works:
- If your browser supports SSL 2.0 or greater, then you are correct:
you will get a warning and you can elect to accept the untrusted key
if you so choose. I believe (but I'm not sure) that the minimum
browser that will allow you to do this is IE 4.0. I do not know what
the corresponding version number is for Netscape\Mozilla or other
browsers.
- If your browser does NOT support SSL 2.0--or the user has a current
browser, but has disabled the newer SSL--then the site will be
completely inaccessible unless you distribute and install the key
directly into the browser.
- If you want to be accepted as a trusted root certificate authority
(and avoid the warning message), then again you must download and
install the certificate directly into the browser. (In IE, Internet
options -> Certificates -> Import)
So, in theory, yes... if your visitors don't mind the warning, and you
know that only people with newer browsers will be visiting your site,
then you could do that. However, there are still some risks involved
in doing that, which I'll explain.
When I said "public" site, I was making the following key assumption:
- Public sites primarily want SSL in order to engage in e-commerce.
A self-signed certificate is unacceptable to many people for
e-commerce and similar applications, and here's why:
SSL does three very important things:
1) Encrypts your data
2) Proves you are who you say you are
3) (optional) Can be used to restrict access to your site
Both self-signed (test) certificates and certificates signed by a
proper certificate authority (such as VeriSign) encrypt the data. For
some applications, encryption alone provides enough protection. For
example, in the case of the corporate intranet, your only concern may
be protecting the data that is served by the corporate server and
shielding it from prying eyes outside the company. If you had a public
site with a similar need (where only the data on the server is
important, and the data submitted by the client is unimportant) then a
self-signed certificate is sufficient.
However, if you self-sign your certificate, you automatically lose
benefit #2. Self-signed certificates are in effect unauthenticated...
they do not prove that you are who you say you are. This has several
implications. Most importantly, the client who is sending the data
cannot be sure who they are sending the data to. Obviously, for
applications like e-commerce, this is unacceptable to most people. The
user could be sending his or her credit card number to practically
anybody, with little or no way to verify that the recipient is even a
real business. On the other side of the coin, you may also be putting
yourself at greater risk of "website spoofing" or so-called "man in
the middle attacks". In this kind of attack, a third party redirects
traffic from your site by dns poisoning, hyperlink spoofing,
typosquatting or other similar means to their own fraudulent site...
that happens to look just like your legitimate site, thereby
encouraging users to enter sensitive information that they would
normally only provide to you. (Some such hacks in fact proxy the real
site through a middle man that collects the data as it passes by.)
While there are some browser exploits that allow even sites with
certificates signed by a certificate authority to be spoofed, by
signing your own certificates you make it even easier for a hacker to
execute this kind of fraud because they no longer need to fake a
certificate that appears as if it came from a trusted source... your
site is already established as "untrusted".
Beyond the technical considerations, there are business and legal
considerations to think about if you want to use a self-signed
certificate for a public site. First and foremost, most users are
timid about entering their credit card number online to begin with,
and an additional scary-looking dialog will scare a lot of them off.
Furthermore, if your site is hacked or impersonated and sensitive data
is exposed, you may be liable. I'm not saying that a self-signed
certificate will necessarily open you up to a lawsuit... but it
certainly could make things worse, as anything that furthers the
perception that your data handling practices are not up to snuff tends
to increase your potential liability when something goes wrong.
With all that in mind, I have a hard time recommending self-signed
certificates to people who want to use them for public sites except
for limited applications. Of course, you know your intended use best
and in the end the decision is entirely up to you.
Risks of Unauthenticated SSL Certificates
http://www.verisign.com/resources/gd/authentication/risks.html
How Secure Sockets Layer Works
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q245152
SSL Vulnerabilities
http://www.dsd.gov.au/talks/Auscert2002.pdf
Microsoft IE SSL Spoofing Vulnerability
http://www.safermag.com/html/safer37/alerts/55.html
**********************************************************************
Q: "Ideally, I'd like to be a 'certificate authority' for all the
webservices in our intranet. I'd like to distribute 1 private
certificate and have all our ssl'd websites not come up with that
warning. Is there a way I can accomplish that with just makecert?"
A: Yes, I believe you can. You should be able to create your
self-signed certificate and then use that certificate as a trusted
root to sign other certificates. Other certificates you create are
then chained to that first certificate. As long as that first
certificate has been installed as a trusted root in the browser, then
none of the certificates should cause a warning.
Incidentally, one of the Microsoft articles I referenced earlier had a
fantastic suggestion for distributing the trusted root certificate.
They suggested using the IEAK to build your own IE distribution with
the certificate already installed. I know a lot of companies like to
distribute customized versions of IE already, so if this is something
you are already doing or considering doing, you might want to look
into that as a convenience to your users.
**********************************************************************
Q: "I downloaded makecert.exe but I'm still confused about all the
options and how to feed it my csr.txt file on the certificate signing
machine for the website hosting machine."
A: Unfortunately, I have not used makecert myself, but from my reading
it appears that the options that would normally appear in your
certificate request are passed on the command line instead.
I found several posts where people have successfully used makecert to
make self-signed certificates, both for securing transactions and for
signing software.
This post describes closely what you seem to be after, although it is
targeted at using certificates to sign software instead of for
transmitting data. However, he uses the technique of creating a
self-signed trusted root certificate which he uses for signing all of
his other certificates:
"Re: Programmatically Set IE5 Security Options",
microsoft.public.scripting.vbscript
http://groups.google.com/groups?q=+makecert+self-signed+%22trusted+root%22+(ie+OR+%22internet+explorer%22)
&hl=en&lr=&ie=UTF-8&selm=O4ArA%24V4%24GA.254%40cppssbbsa04&rnum=1
This is the command line that the author used to make the trusted root
certificate:
makecert -r -sk "MYCOMPANY.ISB" -ss MYCOMPANY.ISB -sr Localmachine -$
commercial -n "CN=MYCOMPANY.ISB.SM" -m 12 MYCOMPANYISB.crt
A programmer overseas, which I believe I referenced before, suggests
using the following alternate command line (filling in your own
machine name, of course):
makecert -r -pe -n "CN=www.yourserver.com" -b 01.01.2000 -e 01.01.2099
-eku
1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
How to use makecert to create a self-signed test certificate that can
be used with IIS for SSL
http://www.inventec.ch/chdh/notes/14.htm
A different post suggested the following very similar syntax would
also work:
makecert -pe -n CN=mymachine -ss MY -sr localMachine -a sha1 -sky
exchange
-eku 1.3.6.1.5.5.7.3.1 -in "TestCA" -is MY -ir LocalMachine -sp
"Microsoft
RSA SChannel Cryptographic Provider" -sy 12 mymachine.cer
RE: How to get certificate made with makecert to work with IIS
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2002-07/2078.html
It seems that there are two critical flags that you will need to use
to get your certificate generated properly:
-r which indicates that the certificate is self-signed.
-pe which indicates that the certificate is exportable.
The best thing I can recommend is to read the documentation for
makecert. You can find the complete list of command-line options for
makecert in the MSDN at:
Certificate Creation Tool (Makecert.exe)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp
**********************************************************************
Q: "And if I use makecert, what exported file would I distribute to
others in my 'intranet' group?"
A: I believe what you need to do is install the certificate you
created with makecert to the trusted root certificates store on your
local machine. Once it is installed, export it without the private
key. The exported file *without* the private key is what you want to
distribute. The important part is that you distribute only your public
key and not your private key.
**********************************************************************
I hope this tells you what you need to know. SSL is a large topic and
technical topic. If you're interested in learning more, you may want
to consider getting some books from your local library. O'Reilly
publishes some very good books on SSL, as well as some excellent books
on server administration. If you're having difficulty with Certificate
Server, you might also try contacting Microsoft technical support to
get it working again. Certificate Server appears to be a significantly
easier route than makecert.
If you still considering getting a certificate signed by a trusted
authority down the road, you might also want to consider using a test
certificate generated by one of the certificate authorities in the
meantime... it would certainly be a lot less work than signing it
yourself. Many will provide limited-use or time-limited trial
certificates for free of charge.
Sincerely,
-Spot
|
Clarification of Answer by
spot_tippybuttons-ga
on
05 May 2003 21:17 PDT
Oh... one more thing you might find useful!
Since you mentioned you lost some of your MSDN disks, as long as you
have your registration\proof of purchase Microsoft will replace
them... often fairly inexpensively.The phone number at Microsoft for
ordering replacement media is (800) 759-5474. They are open standard
business hours, pacific time.
-Spot
|
Request for Answer Clarification by
xn1-ga
on
08 May 2003 11:02 PDT
(1) Is there a way to give makecert a certificate request file?
(2) What exactly is in the body of the certificate request file?
The options for makecert need more explanation than that provided in
"http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp"
I need to get to the bottom of this.
|
Request for Answer Clarification by
xn1-ga
on
08 May 2003 11:22 PDT
BTW when I tried that "makecert -r -pe -n "CN=www.yourserver.com" -b
01.01.2000 -e 01.01.2099
-eku
1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ",
I got an "Invalid input parameter for option -b.
Then when I removed the "-b" option, I got the same message for optin
-e.
I have no idea what the -eku option is (I mean what are the OIDs and
why are they even needed?).
Then when I removed the -e option, makecert gave me the error message:
"Error: Can't create the key of the subject ('<some long string of
numbers and dashes>') Failed"
This looks like another wild goose chase Microsoft intended for those
foolish enough to be interested. I don't see anything straightforward
about this except the theory.
|
Clarification of Answer by
spot_tippybuttons-ga
on
09 May 2003 19:20 PDT
I understand your frustration. I know this is complicated and there
are a lot of configuration-dependent options involved. However, just
to reassure you, I went through the process myself this afternoon to
make sure it really does work as advertised... and it does. I ended up
using the second command line I listed previously to do the job, with
some minor modifications so that I could create the certificate used
to sign other certificates that you wanted. I did this on a clean
install of Win2K with IIS 5.0, with a copy of makecert downloaded from
Microsoft so that everything I did should be 100% replicable. The
details are documented below.
Before you begin, I highly recommend that you read ALL the
documentation. I know there is a lot of it and some of it is very
technical, but it is very worthwhile reading. Every system
configuration is different, and only you will be able to determine the
choices that are best for your enterprise.
As before, I'm going to break down your clarification and answer each
separate question one at a time.
**********************************************************************
Q: "Is there a way to give makecert a certificate request file?"
A: As noted in my previous clarification, it does not appear to be
possible to feed makecert a certificate request file. You need to pass
the parameters that would normally go into a certificate request file
on the command line.
**********************************************************************
Q: "What exactly is in the body of the certificate request file?"
A: A certificate request file contains information about your business
or organization as well as your web server's public key. The file is
used by the certificate authority to fill in the information they need
to sign and generate the certificate.
Certificate Signing Request (CSR) FAQ
http://www.entrust.net/customer_support/csr_faq.htm
**********************************************************************
Q: "when I tried that makecert [...] I got an 'Invalid input
parameter' for option -b. I got the same message for option -e."
A: According to the documentation, -b "Specifies the start of the
validity period. Defaults to the certificate's creation date." and -e
"Specifies the end of the validity period. Defaults to 12/31/2039
11:59:59 GMT." In laymans terms:
-b = B egin date
-e = E nd date
In short, after the -b or -e, you need to type a date so the computer
knows how long the certificate is good for. I believe the reason you
had trouble with the -b option is that the date wasn't formatted as
the program was expecting (hence the "invalid input"). I think I
mentioned previously, but the command line I listed was recommended by
an overseas programmer; obviously the individual was using a date
format specific to his regional settings. If you are in the US (or
using the US version of the software) you will want to change the date
to look the way dates are traditionally written in the US. (ie.
01/01/2000 instead of 01.01.2000) If you are elsewhere in the world,
you will need to format the date in whatever way it is configured in
your system control panel.
**********************************************************************
Q: "I have no idea what the -eku option is (I mean what are the OIDs
and why are they even needed?)."
A: The documentation states that -eku "Inserts a list of
comma-separated, enhanced key usage object identifiers (OIDs) into the
certificate."
Enhanced key usage object identifiers tell the computer what the
certificate is good for, such as protecting a web site, encrypting
e-mails or signing software. OIDs prevent users from misusing a
certificate for any purpose other than what it was originally intended
for.
**********************************************************************
These are the steps I used to create the certificates--one to act as a
CA and sign other certificates, and second signed by the first and
used to secure the web site--using makecert only. I did not install or
use Certificate Server whatsoever.
"Slate" is the name of the server I used to test this. You will need
to substitute your own server name wherever the word "slate" appears.
On the SERVER:
I downloaded makecert from Microsoft at:
http://download.microsoft.com/download/platformsdk/Update/5.131.3617.0/NT45XP/EN-US/makecert.exe
From a command prompt, I ran makecert and made a self-signed "CA"
certificate:
makecert -r -pe -n "CN=slate-ca" -b 01/01/2000 -e 01/01/2099 -eku
1.3.6.1.5.5.7.3.1 -ss slate-ca.isb -sr localMachine -a sha1 -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
-sk "slate-ca.isb" slate-ca.crt
This command line is identical to the second command line I provided
you previously with two exceptions: the date is in US format as I live
in the US, and the key location has been moved from the "Personal"
certificates store to it's own store so it doesn't get mixed up.
I then double-clicked the file that was output (slate-ca.crt) and
installed the certificate.
Next I went to the Certificates snap-in of the MMC, and exported two
copies of the certificate: one with the private key for backup
purposes (slate-ca-backup.pfx), and a second without the private key
for distribution purposes (slate-ca-disto.cer). While I was there, I
went ahead and imported the distribution copy (slate-ca-disto.cer)
into the Trusted Roots store on the server so that the server would
recognize itself. As noted previously, it's very important to keep a
backup copy of the certificate with the private key because if you
lose the private key (hard drive failure or whatnot), you won't be
able to use the certificate later even if you reinstall it.
Now that I had my "ca" certificate, I used it to sign a second
certificate:
makecert -pe -n "CN=slate" -b 01/01/2000 -e 01/01/2099 -eku
1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky exchange -sp
"Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ic
slate-ca.crt -is slate-ca.isb slate.crt
I double-clicked the file (slate.crt) to install the second
certificate.
Then I went to Directory Security tab of the web site properties in
Internet Services Manager and opened the Certificate wizard by
clicking the Server Certificate button (see my original answer above
if you need a refresher on how to do this). I chose Assign an Existing
Certificate and picked the certificate I just made from the list. I
clicked OK, made sure SSL was set to the correct port and restarted
IIS.
ON MY DESKTOP:
I opened my browser (Internet Explorer 5.0) and pointed it at the
server. (https://slate/ ...don't forget the "s" in https) The page
loaded correctly and I got the "do you want to trust this certificate"
prompt as expected. I then closed my browser.
I copied the certificate intended for distribution
(slate-ca-disto.cer) onto my desktop computer. I double-clicked the
certificate in Windows Explorer and chose Install.
I then restarted my browser and pointed it at the server again. This
time, the page came up with no prompt and the lock lit, precisely as
expected.
**********************************************************************
I believe this answers your question, as well as your additional
questions regarding special configurations such as building your own
certificate chain. At this point, I feel that we are starting to drift
outside the scope of the original question, so if you have additional
questions you should post them separately.
I strongly recommend you read all of the documentation I've provided,
as I'm sure it will help you greatly. If you continue to find makecert
too difficult, you should strongly reconsider the Certificate Server
method as it is significantly easier.
Again, good luck with your endeavor!
Best wishes,
-Spot
|
,
0 Comments
)