1

Is it possible to generate self signed, wild-card ssl certificate for internal domain on IIS 7.5 for testing purposes. For example I'd like common name to be *.domain.local

Similar question for IIS 6 was posted here, but without clear answer (in my opinion)

Community
  • 1
zam6ak
  • 155
  • 1
  • 2
  • 8

3 Answers3

0

If you have a certificate authority on your internal domain, then yes. You can then generate whatever certificates that you need for internal use.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • This requires having Active Directory® Certificate Services (AD CS) role on a server correct? If that is the case, we don't have one :)...Is there a way to generate this via IIS 7.5 or some other means (OpenSSL ?) – zam6ak Dec 07 '10 at 20:14
  • @zam6ak - Using OpenSSL would be a great option if you don't have a CA available, yes. – Andrew Barber Dec 07 '10 at 21:17
  • @Andrew Barber - so OpenSSL will let me generate self signed, wildcard cert with local domain? Is there a URL you can point me (I found bunch for IIS6 bit not for 7? Thanks a lot – zam6ak Dec 07 '10 at 23:09
  • Internal CA with GP seems like a viable solution since it allows not only cert generation but also ability to tell the clients to trust it...See this comment: http://serverfault.com/questions/143047/in-house-trusted-certificate/143057#143057 – zam6ak Dec 08 '10 at 14:07
0

Your question actually did end up getting answered in that question here; You cannot create a Wildcard SSL certificate through IIS7+'s self-issued certificate system.

Community
  • 1
Andrew Barber
  • 1,089
  • 12
  • 23
0

The certificate question isn't actually related to IIS.

If you create any self-signed certificate with intended purposes EKUs including Server Authentication, it'll work with IIS.

So all you really need to do is create that certificate, then convince all the clients to trust it too.

You can use the old SelfSSL tool to create the cert, at least:

http://blogs.iis.net/chrisad/archive/2006/11/14/windows-server-2003-service-pack-1-and-iis-6-0-host-headers-and-ssl.aspx

selfssl /s:{SiteId} /N:cn="*.contoso.com" /q

You should be able to skip the /s:{SideID} part, to just generate a local certificate, then hook it up through the IIS 7 InetMgr console as usual.

Aside: If you've got the metabase compatibility pack and IIS 6 scripts installed, you may be able to use the Site ID and have it set up for you, exactly as per the instructions there.

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • I'm using SelfSSl7 for generating a self signed cert for IIS7.5 but wilcarding the CN does not work:I tried this: SelfSSL7 /Q /T /I "Default WebSite" /N cn=" *.mydomain.com";cn=mymachinename;cn=localhost /K 1024 /V 18250 This is the error I get:Common name (/N cn= *.mydomain.com) contains invalid characters. – Abhijeet Patel May 22 '11 at 17:24
  • Your quotes are in the wrong place. – TristanK May 22 '11 at 23:05
  • I had to deliberately include a space after the quote and before the * since the comment would not format correctly here. Besides that, what am I doing wrong? – Abhijeet Patel May 22 '11 at 23:21
  • http://serverfault.com/questions/272534/selfssl7-for-cn-localhost-and-machinename - good you found the answer! – TristanK May 23 '11 at 07:27
  • No I did not! The answer in that question does not show how to register a wildcard domain name – Abhijeet Patel May 25 '11 at 00:58
  • The old SelfSSL - not v7. – TristanK May 25 '11 at 01:53
  • That sucks. You'd think that you would be able to do this in v& as well. I've posted a question on the IIS7 site asking how to do this, but haven't heard back yet – Abhijeet Patel May 26 '11 at 20:48
  • It's as if you're reading a different answer... – TristanK May 26 '11 at 21:36
  • How so? If a feature works in SelfSSL, I would imagine it to work in V7 as well. – Abhijeet Patel May 27 '11 at 04:12