8

For development environment, I can create create self-signed certificate in IIS7.5. But that certificate is SHA-1 and recently browsers are complaining about it. When I open FireBug I see following warnings:

"This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1."

So my questions are:

1) Is there a way to create self-signed certificate that is stronger than SHA-1?

2) If not, is there a way to tell browser to stop showing these warnings?

UPDATE

I ended up using @vcsjones answer, but that got me only so far. There we couple of issues I had to resolve before making it work.

1) For some reason I could not import certificate with password. So I ended up creating one it without.

2) When I imported .pfx certificate via IIS, I kept getting "A specified logon session does not exist" when I tried to apply new certificate in Edit Bindings. So I did little research and found this SO answer to be useful, specifically Mike L's answer.

Another thing I would add is that when you are importing certificate, please remember to select .pfx certificate. Import wizard default selection is *.cer which you can import (mistake I made), but then I was not able to see certificate in IIS Server Certificates. When I looked closer it was missing little key in the icon. Now, I did research on that I was able to repair it via KB-889651 article. So make sure you import .pfx and it will work without repairing.

Another note, if you are having trust issues with this certificate import it into "Trusted Root Certificate Authority" as well.

Community
  • 1
CrnaStena
  • 191
  • 1
  • 1
  • 6

3 Answers3

8

Sure. The makecert utility that is part of the Windows SDK can do that:

makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=localhost cert.cer

The -a parameter sets the hash algorithm. This spits out a PVK and a DER .cer file. You can of course also change the common name to anything you'd like, I just used localhost as an example. You can combine these into a PFX (what IIS prefers to use when importing a certificate) using pvk2pfx (also part of the SDK):

pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx

This just takes the two files makecert generated and combines them into a PKCS12 .pfx file.

With the resulting PFX file, you would open up IIS and import it under Server Certificates, then change your site's bindings to use the new certificate.

vcsjones
  • 712
  • 1
  • 8
  • 21
  • i created it, but where do i find cert.cer and out.pfx? – peter Jul 13 '15 at 17:15
  • 1
    @peter it's whatever the working directory of the console is. You'll see something like `C:\Path\ToADirectory>` in the command prompt. That is your working directory. – vcsjones Jul 13 '15 at 17:16
  • when i tried to import out.pfx in iis it asked a password.I typed the passoword which i set while creating certicate by using your comment.But it is failed, do you know the reason? – peter Jul 13 '15 at 17:32
  • vcsjones i installed certificate in system and then i set the binind in IIS,when i browsed in firefox it is not opening, but in IE i continued error prompt and able to see website , but it is show re icon like certificate is not from trusted certificate authority – peter Jul 13 '15 at 17:48
  • one more doubt by using the command provided in the link we are generating self signed certificate (CA) but which is good CA or SPC? – peter Jul 13 '15 at 22:35
  • one more doubt is when i imported certificate to IIS ,its name is blank,but issued to etc columns having value? – peter Jul 13 '15 at 22:56
  • 1
    One point to note is that makecert is now deprecated. For Windows 8.1 / Windows Server 2012 R2 and higher, you can instead use the Powershell command described here: http://stackoverflow.com/a/19446469/914490 – Mike May 02 '16 at 09:09
  • @Mike, this should probably be a separate answer so it has a chance to be seen; I started looking at makecert before noticing your comment! – Steve Magness Oct 19 '16 at 15:26
6

I am using a locked-down Windows 7 Enterprise computer at work and as such I am unable to install the Windows SDK to get access to makecert. Here's how I created my sha256 self-signed certificate (taken from https://core.telegram.org/bots/self-signed):

  1. Decide which directory you want to save your certificate in

  2. Create a text file in that directory called template.txt with the following contents:

    [NewRequest]

; At least one value must be set in this section
Subject = "CN={your.domain.com}"
KeyLength = 2048
KeyAlgorithm = RSA
HashAlgorithm = sha256
;MachineKeySet = true
RequestType = Cert
UseExistingKeySet=false ;generates a new private key (for export)
Exportable = true ;makes the private key exportable with the PFX

  3. Replace {your.domain.com} with the address you'll use to access your site, e.g. "CN=localhost"

  4. Open up a command prompt and change to your certificate directory
  5. Run certreq -new template.txt RequestFileOut
  6. You'll need to know the serial number, so run certutil -store -user my to get a dump which includes the serial number
  7. Replace {SERIALNUMBER} with the serial number in the dump and {YOURDER}.crt with the name of the output file: certutil -user -store -split my {SERIALNUMBER} {YOURDER}.crt
  8. Replace {YOURDER}.crt with the name of the input file and {YOURPEM}.cer with the name of the output file: certutil -encode {YOURDER}.crt {YOURPEM}.cer
  9. Replace {your.domain.com} with your actual (test) domain name and {YOURPKCS}.pfx with the name of the output file: certutil -exportpfx -user {your.domain.com} {YOURPKCS}.pfx NoChain

After that I went to IIS Manager, Sites -> {site name} -> Bindings... (under "Edit Site"). I then clicked on https/443 because I already had it set up, Edit... and selected the new certificate from the list.

Firefox complained that my site was using a self-signed certificate so I just added it as an exception, and voilà! it worked!

CJ Dennis
  • 161
  • 1
  • 4
  • This is most working example without any installation, which sometimes not possible on prod server. – hungryMind Jan 12 '17 at 10:43
  • I could not get this to work on my windows 7 box, but it worked great on server 2012. As a side note {yourpem}.cer and {yourpkcs.pfx} are generated by the two commands that they are listed in. You'll probably want to use the same name as {yourder}.crt. So for simplicity, {yourcert}.crt, {yourcert}.cer, {yourcert}.pfx – Zonus May 18 '17 at 15:24
0

Yeah I got that "A specified logon session does not exist" error/warning message too.

I just clicked OK a second time and it accepted it.

anthonymaw
  • 1
  • 1