How to create a self-signed certificate for a domain name for development?
With IIS's self-signed certificate feature, you cannot set the common name (CN) for the certificate, and therefore cannot create a certificate bound to your choice of subdomain.
One way around the problem is to use makecert.exe, which is bundled with the .Net 2.0 SDK. On my server it's at:
C:\Program Files\Microsoft.Net\SDK\v2.0 64bit\Bin\makecert.exe
You can create a signing authority and store it in the LocalMachine certificates repository as follows (these commands must be run from an Administrator account or within an elevated command prompt):
makecert.exe -n "CN=My Company Development Root CA,O=My Company,
OU=Development,L=Wallkill,S=NY,C=US" -pe -ss Root -sr LocalMachine
-sky exchange -m 120 -a sha1 -len 2048 -r
You can then create a certificate bound to your subdomain and signed by your new authority:
(Note that the the value of the -in parameter must be the same as the CN value used to generate your authority above.)
makecert.exe -n "CN=subdomain.example.com" -pe -ss My -sr LocalMachine
-sky exchange -m 120 -in "My Company Development Root CA" -is Root
-ir LocalMachine -a sha1 -eku 1.3.6.1.5.5.7.3.1
Your certificate should then appear in IIS Manager to be bound to your site as explained in Tom Hall's post.
All kudos for this solution to Mike O'Brien for his excellent blog post at http://www.mikeobrien.net/blog/creating-self-signed-wildcard
Using PowerShell
From Windows 8.1 and Windows Server 2012 R2 (Windows PowerShell 4.0) and upwards, you can create a self-signed certificate using the new New-SelfSignedCertificate cmdlet:
Examples:
New-SelfSignedCertificate -DnsName www.mydomain.com -CertStoreLocation cert:\LocalMachine\My
New-SelfSignedCertificate -DnsName subdomain.mydomain.com -CertStoreLocation cert:\LocalMachine\My
New-SelfSignedCertificate -DnsName *.mydomain.com -CertStoreLocation cert:\LocalMachine\My
Using the IIS Manager
- Launch the IIS Manager
- At the server level, under IIS, select Server Certificates
- On the right hand side under Actions select Create Self-Signed Certificate
- Where it says "Specify a friendly name for the certificate" type in an appropriate name for reference.
- Examples:
www.domain.comorsubdomain.domain.com
- Examples:
- Then, select your website from the list on the left hand side
- On the right hand side under Actions select Bindings
- Add a new HTTPS binding and select the certificate you just created (if your certificate is a wildcard certificate you'll need to specify a hostname)
- Click OK and test it out.
To Create the new certificate for your specific domain:
Open Powershell ISE as admin, run the command:
New-SelfSignedCertificate -DnsName *.mydomain.com, localhost -CertStoreLocation cert:\LocalMachine\My
To trust the new certificate:
- Open mmc.exe
- Go to Console Root -> Certificates (Local Computer) -> Personal
- Select the certificate you have created, do right click -> All Tasks -> Export and follow the export wizard to create a .pfx file
- Go to Console Root -> Certificates -> Trusted Root Certification Authorities and import the new .pfx file
To bind the certificate to your site:
- Open IIS Manager
- Select your site and choose Edit Site -> Bindings in the right pane
- Add new https binding with the correct hostname and the new certificate