Professional Documents
Culture Documents
Search
Home SSL Wizard SSL FAQ SSL Reviews SSL News SSL Tools
Self signed certificates can be used on an intranet. When clients only have to go through a local
intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
Self signed certificates can be used on an IIS development server. There is no need to spend
extra cash buying a trusted certificate when you are just developing or testing an application.
Self signed certificates can be used on personal sites with few visitors. If you have a small
personal site that transfers non-critical information, there is very little incentive for someone to attack
the connection.
Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to
an IIS site that uses a self signed certificate until it is permanently stored in their certificate store. Never
use a self signed certificate on an e-commerce site or any site that transfers valuable personal
information like credit cards, social security numbers, etc.
1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 1/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
(IIS) Manager.
2. Click on the name of the server in the Connections column on the left. Double-click on Server
Certificates.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 2/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The
certificate common name (Issued To) is the server name. Now we just need to bind the Self signed
certificate to the IIS site.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 3/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
3. Change the Type to https and then select the SSL certificate that you just installed. Click OK.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 4/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
4. You will now see the binding for port 443 listed. Click Close.
5. Now let's test the IIS self signed certificate by going to the site with https in our browser (e.g.
https://site1.mydomain.com). When you do, you should see the following warning stating that "The
security certificate presented by this website was issued for a different website's address" (a name
mismatch error).
This is displayed because IIS always uses the server's name (in this case WIN-PABODPHV6W3) as the
common name when it creates a self signed certificate. This typically doesn't match the hostname
that you use to access the site in your browser (site1.mydomain.com). For many situations where IIS
self signed certificates are used, this isn't a problem. Just click "Continue to this web site" each time.
However, if you want to completely get rid of the error messages, you'll need to follow the next two
steps below.
1. Download the Internet Information Services (IIS) 6.0 Resource Kit Tools and install SelfSSL 1.0 (if you
do a Custom install you can uncheck everything except for SelfSSL). Once it is installed, click on the
Start menu, go to IIS Resources, then SelfSSL, and run SelfSSL.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 5/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
2. Paste in the following command and replace site1.mydomain.com with the hostname of your IIS site. If
you receive the erorr "Error opening metabase: 0x80040154", just ignore it. We will be manually binding
the certificate to the website.
SelfSSL /N:CN=site1.mydomain.com /V:1000
3. After the command is finished, you will have an IIS self signed certificate with the correct common
name listed in the Server Certificates section of IIS. Now follow the instructions above to bind the
certificate to your IIS website.
4. After you have bound the new certificate to your IIS site, visit it with https in your web browser and
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 6/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
you will encounter another error: "The security certificate presented by this website was not issued
by a trusted certificate authority." (the SSL Certificate Not Trusted error)
Don't worry; this is the last error we will need to fix. This is a normal error for self signed certificates
because the certificate is signed by itself instead of a trusted SSL provider. All visitors to the site will
see that error unless they import the self-signed certificate into their Trusted Root Certification
Authorities store (or the appropriate SSL certificate store for the browser they are using). You can
easily add the IIS self signed certificate to the store on the server by following the the instructions
below. If you need to import the certificate on another Windows machine, just follow the instructions
on how to Move or copy an SSL certificate from a Windows server.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 7/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
4. Double-click on Certificates.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 8/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
7. Expand the Certificates item on the left and expand the Personal folder. Click on the Certificates folder
and right-click on the self signed certificate that you just created and select Copy.
8. Expand the Trusted Root Certification Authorities folder and click the Certificates folder underneath it.
Right-click in the white area below the certificates and click Paste.
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 9/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
9. Now you can visit your site with https in your web browser and you shouldn't receive any errors
because Windows will now automatically trust your IIS self signed certificate.
For more information on generating an IIS self signed certificate, see the following links:
Great write up, and exactly what I was needing to set this up and do some testing!
thank you so damn much! I dug for hours and you gave me the few things to get my act
together and the server serving my SSL! Thanks again!
Darren Thanks!
Posts: 23 Reply #23 on : Tue May 21, 2013, 12:26:50
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 10/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
David Adding SANs
Posts: 23 Reply #22 on : Fri January 25, 2013, 10:37:27
Can anyone tell me how to add SANs to a self signed cert using IIS7?
sanjeev
Not able download "Internet Information Services (IIS) 6.0 Resource Kit Tools" from given
link.. Search on google but not able to find the same.
Request you to share new link.
Great directions. I was a bit thwarted on the command line interface but it has done my
nuts and bolts objective.
I have extensive experience dancing on someone elses box like a free website account
and stuff. This is the fist time of me actually running a true website from my own
location. So many thigs to worry about as far as exploits go.
Bryan Bowers Followed the process but the certificate does not show up
Posts: 23 Reply #16 on : Mon April 30, 2012, 16:35:16
Hi all, I followed the process (even ran as administrator) but the cert does not show up
in the IIS MMC. Any ideas? I get a failed to build the subject name blob: 0x80092023.
Would appreciate any help as client is antsy for the fix.
Hi Rix,
Unfortunately, that is the nature of self-signed certificates. Because they are signed by
themselves, they can't be trusted until the user actively sets them to be trusted (this is
fairly easy in Firefox but more difficult in other browsers). To completely avoid warnings
and manual trust process, you'll need to get a certificate from a trusted authority.
"The security certificate presented by this website was not issued by a trusted
certificate authority."
Clients DID NOT import the self signed certificate, yet because I would like to avoid this.
I don't want to force people to follow the bulky certification import steps, I just want
them to navigate easily! So my question is: is there a way to allow the self signed
certificate to be recognized as valid WITHOUT importing in in the client trusted root
store?
Thank you!!!
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 11/12
12/17/13 How to Create a Self Signed Certificate in IIS 7
Jeff RE: SelfSSL does nothing
Posts: 23 Reply #11 on : Mon De ce m be r 12, 2011, 18:45:38
Remember to open cmd with administrator rights, if it's doing nothing more than likely it's
because you are not running as administrator. remember even if you're logged in as
administrator, you still have to run as administrator.
Also, this comment form is refusing to accept valid email addresses. My standard email
address has a "+" in the mailbox name component, so I had to use an alternate.
As far as I can tell, I followed the instructions above to the letter, but when I run the
SelfSSL command, nothing changes in my Server Certificates screen. I still have the old
certificate with the wrong hostname, and I don't have a certificate with the correct
hostname. Also, SelfSSL doesn't give me the "Error opening metabase" warning, but it
doesn't complain about anything else, either. After asking me Y/N, it just goes back to
the command prompt.
DPK Excellent
Posts: 23 Reply #7 on : Fri Nove m be r 18, 2011, 01:56:32
Write a comment
Name:
Subject:
Comment:
Security Code:
Post Comment
Hom e SSL W izard SSL FAQ SSL R e vie ws SSL Ne ws Site Map W e b Host C om parisons About SSL Tools
© 2013 SSL Shoppe r™ | SSL C om parison | All R ights R e se rve d
www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html 12/12