For development purpose, sometime you need trusted SSL certificate that won’t give you certificate validation error. To avoid this problem, you can buy valid certificate from trusted CA. Another way is to create your own. This will guide you how to create trusted root certificate authority and self-signed certificate.
Tools
Following are required tools:
Both of these files can be found in your Microsoft SDKs folder, or try search in one of the following folder. If your machine is 32-bit, search under “Program Files (x86)” folder instead.
- C:\Program Files\Microsoft SDKs\Windows\
- C:\Program Files\Microsoft Visual Studio 8\
- C:\Program Files\Microsoft Visual Studio 11.0\
- C:\Program Files\Windows Kits\
- C:\Program Files\Microsoft.NET\SDK\
- C:\Program Files (x86)\Microsoft Visual Studio 9.0\
- C:\Program Files (x86)\Microsoft Visual Studio 8\
Preparation
It’s a good idea to create a new folder and place all files in the new folder. When running the commands to create the certificates, run it under the new folder as well.
Root Certificate Authority
C:\DevCert> makecert.exe -r -n "CN=dev.root" -pe -sv dev.root.pvk -a sha1 -len 2048 -b 01/01/2014 -e 12/31/2200 -cy authority dev.root.cer
C:\DevCert> pvk2pfx.exe -pvk dev.root.pvk -spc dev.root.cer -pfx dev.root.pfx
You can change certificate name, valid to and valid from dates (-n “CN=dev.root”, -b 01/01/2014, -e 12/31/2200, respectively), to whatever you like.
You may be prompted to create a password. This is the password to your private key.
This command will generate 3 certificates:
- dev.root.cer (certificate)
- dev.root.pvk (private key)
- dev.root.pfx (certificate containing private key)
Install “dev.root.cer” root certificate to the store (Computer Account), under “Trusted Root Certification Authorities” folder.
SSL Certificate
C:\DevCert> makecert.exe -iv dev.root.pvk -ic dev.root.cer -n "CN=dev.site" -pe -sv dev.site.pvk -a sha1 -len 2048 -b 01/01/2014 -e 12/31/2200 -sky exchange dev.site.cer -eku 1.3.6.1.5.5.7.3.1
C:\DevCert> pvk2pfx.exe -pvk dev.site.pvk -spc dev.site.cer -pfx dev.site.pfx
You can change certificate name, valid to and valid from dates (-n “CN=dev.site”, -b 01/01/2014, -e 12/31/2200, respectively), to whatever you like.
You may be prompted to create a password. This is the password to your private key.
This command will generate 3 certificates:
- dev.site.cer (certificate)
- dev.site.pvk (private key)
- dev.site.pfx (certificate containing private key)
Wildcard Certificate
You can create a wilcard certificate by prepend “*” (asterisk) on certificate name, for example:
C:\DevCert> makecert.exe -iv dev.root.pvk -ic dev.root.cer -n "CN=*.dev.site" -pe -sv w.dev.site.pvk -a sha1 -len 2048 -b 01/01/2014 -e 12/31/2200 -sky exchange w.dev.site.cer -eku 1.3.6.1.5.5.7.3.1
Installation
In Certificate snap-in of Management Console (mmc):
- For root CA certificate, “dev.root.cer” must be imported into “Trusted Root Certification Authorities” folder.
- For regular (or wildcard) certificate, “dev.site.pfx” must be imported into “Personal” folder.
SSL / TLS Usage
To use certificate as SSL certificate, the CN name must match host name of the site. For example, if the site has host name “dev.site”, the certificate CN’s name must also be “dev.site”.
To use wildcard certificate in multiple sites as SSL certificate for the same IP address, it must have valid host name (ie, *.dev.site). With this approach, each site using the wildcard certificate must have different host name (ie, blog.dev.site and news.dev.site).
Like this:
Like Loading...