Using SelfSSL to create your own SSL certificates for IIS 6

If you are developing a web site using ASP.NET or any other language being served by IIS, you will not be able to serve HTTPS pages unless you have an SSL certificate installed. Most companies pay good money to get certificates from places like Verisign or Thawte for their live production boxes, but for your development boxes which are safely tucked behind the corporate firewall it would be silly to pay the money for a full blown certificate. If you are a developer living under the tyranny that is Sarbanes-Oxley then you probably don’t have the option of just exporting the cert from your production box and importing a copy of it on your dev box, and if there are portions of your site such as the “my account” page that require a secure connection then you might find yourself unable to do your work without a certificate.

Some certificate vendors try to meet this need by selling “development” certificates for a lower price but if you are using IIS 6 you can generate your own certificates for this kind of situation using a little tool called SelfSSL from Microsoft.

SelfSSL is part of the Microsoft Internet Information Services (IIS) 6.0 Resource Kit which can be downloaded here.

To create a certificate, download and install the resource kit, making sure that SelfSSL was included in the list of items being installed. Once the installation is complete you can access SelfSSL by clicking on Start > Programs > IIS Resources > SelfSSL, and then click SelfSSL.

This will open a command prompt window. To see a list of command line options type SelfSSL /? and to install a certificate in the default web site type “Selfssl /T /V:365″, and then press ENTER. The /T option will add the certificate to your machine’s trusted certificates pool (which is a good idea), and the /V:365 is what specifies the length of time that the certificate will be valid. I don’t know if there is an upper limit to how long the cert can be valid, but I’ve tried it as high as 700 days and it still worked fine.

I said above that this method will install the cert in the default web site. It is more accurate to say that this will install the cert in the web site that has a Site ID number of 1. Before dealing with this utility I had never heard of any kind of Site ID before, and this gave me a lot of trouble. It turns out that this is a unique number that IIS uses behind the scenes to tell the different web sites apart. The number is assigned when you create the site and does not change. The default web site that comes pre-made with IIS has a Site ID of 1, but if you have deleted it, even if you create another one with the same name, it will not have the same ID.

That is exactly what happened to me. I had deleted the default site, and when I ran the SelfSSL tool using the command I gave above, it failed and said “Error opening site metabase key: 0×80070003″. After a while of pulling my hair out and finding nothing useful on Google, I figured out that the default site number of 1 didn’t exist anymore. I had five sites installed, so I tried using the /S switch to specify the site number and didn’t have any luck at all. I tried /S:2, /S:3, all the way up to twenty something and still couldn’t get it to work. I hunted all over the IIS manager tool and could not find anywhere that showed what the ID numbers were.

The answer, ironically, came from a utility contained within that same IIS resource kit that you have just installed! One of the other utilities is one called the IIS Metabase Explorer, and all the info is contained in there. Open it up and expand the LM node, then expand the W3SVC node, and you will see a list of the site IDs. In my case the ID was 1,169,018,952. It would have taken me quite a while to guess that one, huh? Once you know the ID you can go back to SelfSSL and use the /S switch to generate the cert for the correct site.

The IIS Metabase Explorer is actually a nifty little utility that I might eventually cover in another post.