Q: In our test lab, we want to set up an SSL-enabled website that's hosted on an IIS 7.0 web server. We don't have a Certification Authority (CA) or Public Key Infrastructure (PKI) in our test environment, and we don't want to purchase a certificate from VeriSign for our tests. Is there a workaround so I can still use SSL on my test website?

A: Microsoft has built in support for the creation of self-signed certificates In IIS 7.0. These allow you to create web server certificates easily, without the need for a PKI or an externally purchased certificate.

You can create self-signed certificates from the Server Certificates section in the IIS Manager MMC snap-in. To get to this section, click the root machine node in the left-hand pane of the IIS Manager, and then select the "Server Certificates" icon in the right pane. The Server Certificates section lists all certificates that are registered on the machine, and it allows you to import and create certificates.

To create a self-signed certificate, click Create Self-Signed Certificate… in the Actions pane of the IIS Manager. IIS will prompt you to enter a name for the certificate. When you click OK, IIS automatically creates a self-signed certificate and registers it on the machine.

Once you've registered an SSL certificate on your IIS machine, you still need to SSL-enable the website itself. To do so, select your website in the Web Sites node in the left-hand pane of the IIS Manager and click the Bindings link in the Actions pane. This brings up a dialog box that shows all the binding rules for the site. To enable SSL for your site, click the Add… button. This brings up an Add Web Site Binding dialog box that you can use to add HTTPs protocol support. In this dialog, you must select https in for Type: and the self-signed certificate you created earlier for SSL certificate:. Finally, click the OK button.

There's one small but important problem you must be aware of that has to do with the way IIS 7.0 creates self-signed certificates. IIS 7.0 always creates the SSL certificate with the local computer name as the Common Name (CN). To make SSL function properly, the certificate's CN should match the website's DNS address, and in many cases the website's DNS name is different from the computer name. If your certificate CN doesn't match the website DNS address, browsers will tell your users that something is wrong with the SSL setup or refuse to open the site.

To fix this problem, you can use the SelfSSL.exe utility to generate a self-signed SSL certificate for your web server and link it to your website. SelfSSL is part of the IIS6 Resource Kit and can be used to generate self-signed certificates in earlier IIS versions. You can download the IIS6 Resource Kit Tools from Microsoft.

Run SelfSSL using the syntax

Selfssl /N:CN=<your_websitename> /V: <cert_validityperiod> /S: <site_ID> /P: <portnumber>

Make sure that in the above command, you replace <your_websitename> with the actual name of your website (such as mytest.internal.net), <cert_validityperiod> with the numbers of days the certificate should be valid, <site_ID> with the actual site ID (see note below) and <portnumber> with the actual port number (defaults to 443 for HTTPs). To look up the site ID of your website, select the Sites node in the IIS Manager—you can find the site ID in the ID column in the right pane.