Test SSL Certificates in IIS 5

DISCLAIMER: These guidelines are from my own personal experience. No warranty is expressed or implied. Follow them at your own risk.

This had been chatted about a while back and I thought I'd post the instructions on doing this. This will allow you to install a test digital certificate on your local server box for development purposes. You don't have to get nutty and make yourself a certifying authority or anything like that, but the browser will tell you the certificate is invalid, expired and from a non-trusted authority. It will, however, allow you to test your ASP code that checks for secure connections and other fun stuff on your local box.

FIRST, CREATE A CERTIFICATE SIGNING REQUEST

  1. Bring up Internet Information Services within the Administrative Tools menu. (in the Control Panel)
  2. Select your computer name and the web site that you wish to secure. (for most, this will be "Default Web Site")
  3. Right-click the site and select Properties.
  4. Click the Directory Security tab.
  5. Click the Server Certificate button (under Secure Communications)
  6. The welcome screen comes up, click next.
  7. Select 'Create a new certificate', Click Next.
  8. Select 'Prepare the request now, but send it later', Click Next.
  9. Enter Default Web Site for name (or anything you want, really) and select a bit length of 1024. Click Next.
  10. Enter Authorized Company for Organization and Authorized Unit for Organizational Unit. Click Next.
  11. For common name, enter the web address of your local PC (the www.whatever.youisp.com) if you have one. Or just enter localhost (especially if you use http://localhost/whatever to access your development site). Click Next.
  12. Enter your country, state and city. Click Next.
  13. Select where to store the file (c:\certreq.txt works well) and click Next then click Next again.
  14. Click finish, that part is done.

SECOND, REQUEST YOUR CERTIFICATE

  1. Equifax used to be the link here, but they no longer provides test SSL certificates. Some other providers still offer them: Instant SSL (30 Days), Thawte (15 day free trial link on homepage), FreeSSL (30 Days), Verisign 14-day trial via Builder.com, Quality SSL (30 Days), Omega Sphere (30 Days), Search Google for more....
  2. Enter the requested information. Some providers will fully check the details, others just ask for minimal information for the test. In nearly all situations, your email address must be valid, as your certificate will be sent via email.
  3. Open that file we created earlier and cut and paste it into the provided textbox.
  4. Click the SUBMIT button.
  5. A verification screen comes up. Verify your entries and click SUBMIT REQUEST.
  6. You'll see a thank you screen and it'll say that your notification will come via email (you did enter a valid address right?)

THIRD, INSTALL YOUR CERTIFICATE

  1. Check your email.
  2. Now, open up notepad and copy and paste the section of the email right after "Your Trial Web Server Certificate" (or similar) into the new text document. Get the beginning and end certificate header and footer, too. DO NOT copy anything else. It should look something like this:

    -----BEGIN CERTIFICATE-----
    MTA1MjUwNDI2MTBaMH4xCzAJBgNVBAYTVTMREw
    MA8GA1UEBxMITmV3IFlvcmsxGzAZBgNVBAoTE
    2evwkpc/4iYRlNzl+4t0zpgQdZAc2+t7GtibofVAw83WY+4a
    MTA1MjUwNDI2MTBaMH4xCzAJBgNVBAYTAlVTMREw
    MA8GA1UEBxMITmV3IFlvcmsxGzAZBgNVBAoTEkF1dG
    2evwkpc/4iYRlnNzl+4t0zpgQdZAc2+t7GtiboAryw83WY
    LJEw0O4Dwadwsg7VNW7tdQYI6MJ5t6C6lyNJmQZa
    TA1MjUwNDI2MTBaMH4xCzAJBgNVBAYTAlMREwD
    MA8GA1UEBxMITmV3IFlvcmsxGzAZBgNVBAoTEkF1d
    2evwkpc/4iYRlnuJNzl+4t0zpgZAc2+t7GtibofVAryw83
    LJEw0O4Dwadwsg7VNW7tdQYI6MJ5t6C6lyNJm
    -----END CERTIFICATE-----
     
  3. Save that file with a .cer extension (c:\certreq.cer works well)
  4. Bring up Internet Information Services within the Administrative Tools menu.
  5. Select your computer name and the web site that you wish to secure. (for most, this will be "Default Web Site")
  6. Right-click the site and select Properties.
  7. Click the Directory Security tab.
  8. Click the Server Certificate button (under Secure Communications)
  9. The welcome screen comes up, click next.
  10. Select 'Process the pending request and install the certificate', Click Next.
  11. Select your .cer file you created in step 3 and click Next.
  12. Verify that your info is correct and click Next.
  13. Click Finish.

Ok, you should now have a working SSL certificate in IIS. It may give you errors about not trusting the CA (as some test SSLs link to test Certificate Authorities). Some people import the test CA into their browser. I recommend against it, in case you later run into a malicious page using that server and pretending to be another site. It will give you an error usually once per browsing session about being expired and the name not matching and the authority not trusted, but for testing, it isn't a big deal.

Hope that helps some people out.