Setting Up SSL Locally
Last week's post was on generating your own certificates. This week we're going to look at setting up SSL locally. You will need to have gone through at least Part Two for this, and an upcoming posts about client certificates will require this post as a prerequisite.
Articles in this series:
There are a few different ways to do this, and I'm going to take the approach of generating a certificate on your own, importing to the proper certificate stores, and binding it to a web site yourself. This way you'll learn where these certificates live. You can also generate SSL certs directly inside of IIS if you'd like.
Step 1: Trusting Your Root Certificate
If you have not run through part two yet or you removed your MyRootCert.cer from your user's Trusted Root Certification Authorities folder, go ahead and re-import it again. Steps to do this in are in part two under 'Trusting the Root Certificate'.
Step 2: Generating Your SSL Certificate
If you went through part two, you already generated an SSL certificate (MySecondCert.cer). An SSL certificate is nothing more than a certificate with an extended key usage field set to server authentication. In our example today we'll work with a new cert signed by your MyRootCert's private key, which you can generate using the following command. Ensure you run this command from the folder where you kept makecert.exe and MyRootCert.cer and MyRootCert.pvk. This command is identical to the MySecondCert generation command from part two, only with different filenames for the .cer and .pvk file, and a different subject name.
makecert.exe -iv MyRootCert.pvk -ic MyRootCert.cer -n CN=my.local.machine -len 2048 -pe -sv my.local.machine.pvk -sky exchange -b 01/21/2010 -e 01/21/2020 my.local.machine.cer -eku 1.3.6.1.5.5.7.3.1
First you'll be asked to set a password for the new cert you'll be generating. You can if you would like, but in my case, I did not by pressing the 'None' button since this is not for a production system.
 |
| my.local.machine.pvk's password setting (I did not set one by clicking None) |
Next you'll be asked for your password for the signing cert (in our case, MyRootCert). Last week we had set this to 'learning'. Remember that the certificate being created is being signed by MyRootCert's private key (the MyRootCert.pvk file), which is why you get prompted for MyRootCert.pvk's password.
 |
| Request for the MyRootCert.pvk password in order to use it to sign the new certificate. |
After the command completes, you should see the my.local.machine.cer and my.local.machine.pvk file in your directory.
Step 3: Generating the my.local.machine.pfx file
In order to set up an SSL site, we'll need a .pfx file to import into the local computer's personal certificate store. Just like last post, use the pvk2pfx.exe program to generate this.
pvk2pfx.exe -pvk my.local.machine.pvk -spc my.local.machine.cer -pfx my.local.machine.pfx
You should now see the my.local.machine.pfx file in your directory.
Step 4: Importing the certificate and private key
Now open up your Microsoft Management Console (Win+R, mmc, <Enter>) and add the certificate snap-in by going to File->Add/Remove Snap-In. Click on 'Certificates' in the left panel, then click add. This time, we'll want to add in the certificates snap in for the local machine, as follows:
 |
| Select 'Computer account' and click Next. |
 |
| Select 'Local computer' and click Finish |
The reason we want to import our my.local.machine cert into the local computer certificate store is because IIS does not run under your own user account, rather, it runs under a system account.
Once you see the cert store for the local computer, go ahead and import the my.local.machine.pfx file into the local computer's personal store with the default settings. Note that when you click import, the search window will default to showing .cer files only - you'll have to change the types in the bottom right corner in order to show .pfx files as well.
Once the cert is imported successfully, you should be able to see it in the local computer's personal store.
At this point, import your MyRootCert.cer file into the Trusted Root Certification Authorities for the local computer store as well so that all of your certs signed by MyRootCert are trusted by your computer.
At this point, import your MyRootCert.cer file into the Trusted Root Certification Authorities for the local computer store as well so that all of your certs signed by MyRootCert are trusted by your computer.
Step 5: Set up the web site
Create a folder on your hard drive somewhere (mine is at C:\SSLSite) that will be the directory holding your site files. Inside of it, create a text file named Default.htm, edit it, and set the contents to just be 'SSL!'.
Now open IIS and create a new web site by right clicking on sites and clicking 'Add Web Site.'
Set up your site as the image below shows. Note that your physical path might be different based on where you created your site file directory. If port 443 on your machine is in use, feel free to choose another one that is not in use (for example, on my machine, it was, so you'll see future screenshots use 440 instead. Additionally, when typing in URLs below, you should only have to specify the port if you chose not to use 443).
Click OK when you are done filling out your settings, then open a browser and navigate to https://localhost:port/, where port is the port set in the binding section in the 'Add Web Site' dialog just above. You'll likely see an error message like the following:
This indicates that the certificate being offered is invalid. In Chrome, I continued on to the site, and once I clicked the x'd out lock icon by the https, Chrome told me that the server certificate is invalid because the server's certificate does not match the url. In this case, the server's certificate has a subject name of my.local.machine (set by the "CN=my.local.machine" when generating the cert), whereas the URL you're typing into your bar is localhost. Definitely not the same. Let's fix this! Move on to step 6.
Step 6: Match the URL to the certificate name
Open up the c:\windows\system32\drivers\etc\hosts file in a text editor. More info on the hosts file can be found here, but simple explanation is it allows you to map host names to IP addresses on your local machine.
At the bottom of the file, add:
127.0.0.1 my.local.machine
This will allow my.local.machine to resolve to the IP 127.0.0.1, which is the loopback address (read more here).
We can test to ensure this is working by opening a command prompt (Win+r, cmd, <Enter>), and typing in ping my.local.machine. See how it resolves to 127.0.0.1?
Finally, head back to your browser and type in https://my.local.machine:port into the address bar, and that should eliminate any warnings and give you a nice, green https URL with a valid certificate.
That concludes part 3 of this series. Keep this site set up, as in the future, we'll use this site to learn about client certificate authentication as well.
No comments:
Post a Comment