Creating and Applying SSL Certificate to Windows IIS

This is part six of a series of creating your own self-signed PKI and some ways to utilize the PKI to setup SSL for your web server or create your own OpenVPN server.

Disclaimer: I am not a security expert. This is just the easiest way I have found to create and utilize SSL for my homelab services.

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: WebDev IIS SSL
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: webdev.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify
  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server and Web Client Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting the Certificate

  1. In XCA, click on the Certificates tab
  2. Right click the SSL certificate > Export > File
  3. Set the file name with a .crt extension and verify the export format is PKCS #12 (*.p12)
  4. Enter a password to protect the .p12 export

Importing Certificate Into Windows Certificate Store

  1. Right click the Start Button > Run
  2. Type mmc.exe, press enter
  3. Click File > Add/Remove Snap-in...
  4. Click Certificates
  5. Click Add
  6. Select Computer account
  7. Click Next
  8. Select Local computer
  9. Click Finish
  10. Click OK
  11. Expand Certificates
  12. Right click the Personal folder > All Tasks > Import....
  13. Click Next
  14. Click Browse > Select the exported SSL .p12 file > Click Next
  15. Enter the password created for the .p12 export
  16. Verify Include all extended properties is checked
  17. Click Next
  18. Click Next
  19. Click Finish

Setting Up SSL in IIS

  1. Open IIS Manager (Control Panel > Administrative Tools > Internet Information Services (IIS) Manager)
  2. Expand Server
  3. Expand Sites
  4. Right click on the site to apply SSL certificate to > Edit Bindings...
  5. Click Add...
  6. Set Type dropdown to https
  7. Set IP address, Port and Host name fields
  8. Select the imported certificate from the SSL Certificate dropdown
  9. Click OK
  10. Open a web browser
  11. Navigate to https://DNSorIP from your certificate
  12. Click the lock and select view certificate
  13. Validate the certificate and certificate chain being presented by IIS