Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

Issue Self-Signed SSL Certificate for internal Website

This privacy error may be seen in your browser when an website is visited by using SSL Self-Signed Certificates. These often are internal web-sites of devices in your network.

Privacy error your connection isn’t private

SSL Self-Signed Certificates. Privacy error your connection isn't private

This error page can be seen in the browser when an https page is visited, often these are internal web-sites of devices in your own network, or because you have your own web server in your network, in order to develop web-sites or web-apps in the lab, certificates are required for SSL-encrypted web-sites. However, you may do not want to have the certificate created by a trusted Certificate Authority (CA) issuer, which brings unnecessary costs, except for a Let’s Encrypt certificate, which is free, but the web server for the Automatic Certificate Management Environment (ACME) check must be reachable from the internet, here it is sufficient to issue a self-signed certificate.

How to creating Self-Signed SSL Certificates

Creating a self-signed ssl certificate automated with import them to the Windows Certificate Store of the local computer. It prompts for a Common Name to create the self-signed certificate according to the URL.

$CommonName=Read-Host -Prompt 'Enter a Common Name (CN)'
if ($CommonName) {
	Write-Output "Self-Signed Certificate [$CommonName] processing.."
} else {
	Write-Warning -Message "Missing Common Name (CN)!"
	Break;
}
New-SelfSignedCertificate -DnsName "$CommonName" -CertStoreLocation "cert:\LocalMachine\My"
$pass=ConvertTo-SecureString "pass123" -AsPlainText -force
$file="$env:temp\$CommonName.pfx"
$thumbprint=Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$CommonName"} | Select-Object Thumbprint -ExpandProperty "Thumbprint"
Export-PFXCertificate -cert cert:\LocalMachine\My\"$thumbprint" -file $file -Password $pass
Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pass

Run this commands in a PowerShell opened as administrator. The certificate you just issued can now be found in the Certificate Manager (CERTLM.MSC) Microsoft Management Console (mmc) under Trusted Root Certification Authorities and in Personal certificates.

Note. Set the PowerShell Execution Policy from Restricted to RemoteSigned or Unrestricted to allow local PowerShell scripts to run.

PS C:\> Set-ExecutionPolicy RemoteSigned

Configuring SSL with the IIS PowerShell Snap-in

The acquisition of certificates is not a simple matter and cannot be made without an issuer. The users of your web-site have to trust the certificate and that’s why you have to get it from a trusted Certificate Authority. For testing purposes you can deploy your own certificate however. For this walkthrough we will use a so-called self-signed certificate.

Now lets use the IIS PowerShell Snap-in to create an SSL binding and associate it with the certificate we just created.

Creating an Self-Signed SSL Certificates Binding

We are adding the SSL binding to the Default Web Site using one of the task-based cmdlets called New-WebBinding. First you need to import the WebAdministration module gained when installing the Web-Server Windows feature.

PS C:\> Import-Module WebAdministration
PS IIS:\> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

You can check the binding collection using the following command.

PS IIS:\> Get-WebBinding 'Default Web Site'

Assign the Certificate to IP:Port of the IIS Binding

You can CD into the IIS:\SslBindings directory and query the existing SSL bindings. The directory will be empty on an IIS default install.

PS IIS:\> cd IIS:\SslBindings
PS IIS:\SslBindings> gci

Now you can use the certificate thumbprint we got in the previous step to associate it with all IP addresses (0.0.0.0) and the SSL port 443.

PS IIS:\SslBindings> get-item cert:\LocalMachine\MY\"$thumbprint" | new-item 0.0.0.0!443

The previous command displaying the following SSL Binding.

IP Address       Port Store            Sites
----------       ---- -----            -----
0.0.0.0          443  My               Default Web Site

SSL is ready to go now and you can browse to your site by entering.

https://localhost

How to Create Self-Signed Certificate in PowerShell

Sometimes we need to create a self-signed certificate for websites over HTTPS. Especially in labs and for testing purposes, like testing a web app or for the intranet portal. This tutorial shows here with Windows 11, the procedure to easily issue and install self-signed certificates in PowerShell.

Content

Previously, you had to use makecert.exe such as included in the Windows SDK to create self-signed certificates. Since Windows 8 this can be done in PowerShell there has been the New-SelfSignedCertificate cmdlet. Self-signed certificates can be used for client and server authentication or code signing.

Using the New-SelfSignedCertificate cmdlet

Open PowerShell as Administrator and paste in the following commands.

New-SelfSignedCertificate -DnsName "localdomain.local", "dev.ops.local" -CertStoreLocation "cert:\LocalMachine\My"
$pass=ConvertTo-SecureString "pass123" -AsPlainText -force
$file="$env:temp\SelfSignedCert.pfx"
Export-PFXCertificate -cert cert:\LocalMachine\My\<Thumbprint output during first command> -file $file -Password $pass
Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pass

This example creates a self-signed SSL server certificate in the computer MY store. With the subject alternative name set to localdomain.local. dev.ops.local and Subject and Issuer name set to localdomain.local.

How to Create New Self-Signed Certificate with PowerShell

  Note. replace the placeholder for should be your thumbprint.

Note. Set the PowerShell Execution Policy from Restricted to RemoteSigned or Unrestricted to allow local PowerShell scripts to run.

PS C:\> Set-ExecutionPolicy RemoteSigned

After the self-signed certificate has been created. It is exported in PFX format so that it can then be imported into the certificate store.

The certificate you just issued can now be found in the Certificate Manager (CERTLM.MSC) of the Microsoft Management Console (mmc) under Trusted Root Certification Authorities.

Certificate Manager CERTLM.MSC of the Microsoft Management Console
Certificates – Local Computer: CERTLM.MSC

Automatic creating Self-Signed Certificate

To create self-signed certificate automated without any input, it does not require any further actions. It uses the computer name and if exist the domain name to issue the self-signed certificate.

New-SelfSignedCertificate -DnsName "$env:COMPUTERNAME.$env:USERDNSDOMAIN" -CertStoreLocation "cert:\LocalMachine\My"
$pass=ConvertTo-SecureString "pass123" -AsPlainText -force
$file="$env:temp\SelfSignedCert.pfx"
$thumbprint=Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$env:COMPUTERNAME.$env:USERDNSDOMAIN"} | Select-Object Thumbprint -ExpandProperty "Thumbprint"
Export-PFXCertificate -cert cert:\LocalMachine\My\"$thumbprint" -file $file -Password $pass
Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pass

The thumbprint is written to the variable “$thumbprint” in line 4 so that it can then be append in the export command.

PS C:\> Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$env:COMPUTERNAME.$env:USERDNSDOMAIN"} | Select-Object Thumbprint

The self-signed certificate just created can shown with this command.

If the certificate requires a specific Common Name (CN), this script can be run. It prompts for a Common Name to create the self-signed certificate according to the URL.

$CommonName=Read-Host -Prompt 'Enter a Common Name (CN)'
if ($CommonName) {
	Write-Output "Self-Signed Certificate [$CommonName] processing.."
} else {
	Write-Warning -Message "Missing Common Name (CN)!"
	Break;
}
New-SelfSignedCertificate -DnsName "$CommonName" -CertStoreLocation "cert:\LocalMachine\My"
$pass=ConvertTo-SecureString "pass123" -AsPlainText -force
$file="$env:temp\$CommonName.pfx"
$thumbprint=Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Subject -Match "$CommonName"} | Select-Object Thumbprint -ExpandProperty "Thumbprint"
Export-PFXCertificate -cert cert:\LocalMachine\My\"$thumbprint" -file $file -Password $pass
Import-PfxCertificate -FilePath $file cert:\LocalMachine\root -Password $pass