September 22, 2010

How to create a self signed SSL certificate with Powershell

It's easy to create a self signed certificate for your (IIS) webserver with PowerShell. Self signed certificates are free (yeah!) and offer some basic encryption security. There are of course some disadvantages (the other end can't be sure about the publishing authority (ie. You)  and most web browsers will show warnings). But, for most small projects it's simply impossible to pay a big sum of money for a certificate of a major and trusted Certificate Authority. So, self signed certificates can be a very nice (maybe temporary) solution !

I use PowerShell for a lot of tasks on my IIS servers. I have noticed it's also possible to use PowerShell to create certificates. Some simple steps:

Create the certificate

Download Windows PowerShell snap-in;
If necessary read the snap-in documentation;
Install the self signed certificate:

The tool that helps us creating the certificate is MAKECERT (which you can find in the \Bin folder of the Windows SDK installation path after downloading and installing the Microsoft Windows Software Development Kit. In my case, makecert.exe is in the C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin folder of my IIS server).

MAKECERT creates the certificate and installs it in the "MY" Windows Certificate Store:

.\makecert -r -pe -n "CN=MySimpleProjectsServer" -b 09/22/2010 -e 09/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

[Read all MAKECERT options here]

Afterwards, you can check if the certificate has been created with this command:

dir cert:\localmachine\my

Bind the certificate

Bind the certificate to the "Default Web Site" with the PowerShell command New-WebBinding.

New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

Afterwards, you can check the bindings with this command:

Get-WebBinding 'Default Web Site'

Assign certificate to port

First, take a look at exisiting SSL bindings with this PowerShell command:

cd IIS:\SslBindings

The directory will be empty on an IIS default install.

Now you can use the certificate hash from your self signed certificate and associate it with all IP addresses (0.0.0.0) and the SSL port 443. If you wonder where the hash value of your certificate is, use dir cert:\localmachine\my and copy the hash (Thumbprint) or your certificate.

PowerShell command to associate your certificate with all IP adressess:

Get-Item cert:\LocalMachine\MY\1234567890ABCDEF | new-item 0.0.0.0!443

No, there is no mistake in the command above. SSL settings get stored in the HTTP.SYS configuration store and the naming conventions are a bit different from IIS. In HTTP.SYS you have to use 0.0.0.0 to specify all IP addresses; in IIS you use an asterisk (*) and in IIS you use ":" to separate the binding. Because PowerShell sees a colon as a drive indicator an exclamation mark is used instead :-)

Please note that the 1234567890 in the command above has to be replaced with the hash value of your certificate :-)

Check the result of your command:

cd IIS:\SSLBindings
dir

If all went well, SSL is ready to go now and you're able to surf on your secure site by entering https://localhost in your browser.

Sep 22, 2010 10:19:17 AM | Powershell, SSL

The comments to this entry are closed.

NEXT POST
PowerShell console in Visual Studio 2010 I just read this great blogpost about integrating PowerShell and Visual Studio 2010. More information about Visual Studio 2010 More information about PowerConsole
PREVIOUS POST
C# ComboBox Today I had some troubles finding out how to implement a simple ComboBox in my C# Windows Forms program. Here's my solution because maybe somebody else can use it. 1) Add a ComboBox to the project (drag and drop from...

Mark

The Typepad Team

Search

My Other Accounts

Recent Comments