The easiest way is to use one of the new scripts that come in the box called IISAPP.VBS. It is located in the %SystemRoot%\system32 directory. For example:
Posted on November 17th 2009 in IT/ Network Admin
Lengthy but good and necessary reminder of how SSL works by Simon Denis.. 
Check how Private Key & Public Key works if you don’t already know.. (some more reading.. , or just find another video.. )
Now you know that;
1. The Certificate Authority (CA e.g. Verisign, thwate, your own server..) has a a KEY (private) and a Certificate (public key + extra about the Organisation) – these files that will be generated from the codes below as ca.key and ca.crt (certificate)
2. The Server (or webserver) also has a KEY and will get its Server Certificate from the CA. To get this certificate, it will first generate a Certificate Request that will be sent to the CA. Once the CA validates that the requester is genuine, it will sign the Certificate Request with his Certificate and KEY to produce the Server Certificate. In this case we have 3 files to be generated, server.key, server.csr (Certificate Request), server.crt (Server certificate) .
(For windows mortals server.csr = certreq.txt AND server.crt = server.cer )
Question : I have set up my web server on windows IIS, I need to put in a certificate to enable SSL but this is just a test site and I know want to buy an SSL certificate with Verisign or Thwate or … What should I do ?
Answer : Hmm.. good question me!! well build your own CA, generate your certificates, get the certificate request from the IIS, sign it and put back the resulting server certificate into the webserver. You will get a prompt that the website isn’t signed by a trusted CA but who cares.. I am the untrusted party!!
I prefer making my self signed CA with Linux as it is easily installed and just a 2 lines command. You’ll need openssl and see my previous blog to see how to install it on a windows client if you need to.
Note for the newbies..
1. Both CA and Server will request for information about each Organizations or company, DON’T use the exact same Common Name (CN) for both, use the example below (added “CA” at the end of the CA’s CN):
Creating Certificate Authorities and self-signed SSL certificatesCA:
Common Name (CN): www.mysite.com CA
Organization (O): mysite
Organizational Unit (OU): none
Server:
Common Name (CN): www.mysite.com
Organization (O): mysite
Organizational Unit (OU): none
———————————— LINUX ————————————
Once you get to the command line with openssl:
Generate CA Key : Creating Certificate Authorities and self-signed SSL certificates
$ openssl genrsa -des3 -out ca.key 4096
Generate CA Certificate :
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Get Server Certificate (generate the key by the same way..)
—————————————————————————————
———————————— Microsoft ————————————
1. Open IIS Manager (using version 6.), unfold the trees and right click on the website requiring encryption and click properties
2. Go to Directory Security, Click Server Certificate.
3. Next, Create new certificate, Prepare the request but send it later, – Next .. put the details (use your website FQDN as the DN, use the same key length as you used on your server ) next.. next..
4. Save the Server Certificate Request (certreq.txt) and you’ll need to transfer that to the linux box. (Don’t scratch your head.. that’s easy, if you used Cygwin on windows, just copy-paste the file in c:\cygwin\tmp or use a usb or network share linux does that too :p )
————————————————————————————
———————————— LINUX ————————————
Sign and Validate Server Certificate on CA
$ openssl x509 -req -days 365 -in /tmp/certreq.txt -CA ca.crt -CAkey ca.key -CAcreateserial -out server.cer
*note /tmp/certreq.txt is if you copied the file to in c:\cygwin\tmp
copy back the Server Certificate to the IIS Server
$ cp server.cer /tmp/ -if using cygwin
—————————————————————————————-
———————————— Microsoft ————————————
Go to Directory Security again, and Click Server Certificate
click Process the pending request and install the certificate
Browse to get the server.cer, next use port 443 (meant for https) , next ..
————————————- FINISH!! ————————————-
There.. you’re done.. now your website is https with a self signed Certificate.
Posted on August 22nd 2009 in IT/ Network Admin
