8

For development environment, I can create create self-signed certificate in IIS7.5. But that certificate is SHA-1 and recently browsers are complaining about it. When I open FireBug I see following warnings:

"This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1."

So my questions are:

1) Is there a way to create self-signed certificate that is stronger than SHA-1?

2) If not, is there a way to tell browser to stop showing these warnings?

UPDATE

I ended up using @vcsjones answer, but that got me only so far. There we couple of issues I had to resolve before making it work.

1) For some reason I could not import certificate with password. So I ended up creating one it without.

2) When I imported .pfx certificate via IIS, I kept getting "A specified logon session does not exist" when I tried to apply new certificate in Edit Bindings. So I did little research and found this SO answer to be useful, specifically Mike L's answer.

Another thing I would add is that when you are importing certificate, please remember to select .pfx certificate. Import wizard default selection is *.cer which you can import (mistake I made), but then I was not able to see certificate in IIS Server Certificates. When I looked closer it was missing little key in the icon. Now, I did research on that I was able to repair it via KB-889651 article. So make sure you import .pfx and it will work without repairing.

Another note, if you are having trust issues with this certificate import it into "Trusted Root Certificate Authority" as well.

Community
  • 1
CrnaStena
  • 191

3 Answers3

8

Sure. The makecert utility that is part of the Windows SDK can do that:

makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=localhost cert.cer

The -a parameter sets the hash algorithm. This spits out a PVK and a DER .cer file. You can of course also change the common name to anything you'd like, I just used localhost as an example. You can combine these into a PFX (what IIS prefers to use when importing a certificate) using pvk2pfx (also part of the SDK):

pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx

This just takes the two files makecert generated and combines them into a PKCS12 .pfx file.

With the resulting PFX file, you would open up IIS and import it under Server Certificates, then change your site's bindings to use the new certificate.

vcsjones
  • 722
6

I am using a locked-down Windows 7 Enterprise computer at work and as such I am unable to install the Windows SDK to get access to makecert. Here's how I created my sha256 self-signed certificate (taken from https://core.telegram.org/bots/self-signed):

  1. Decide which directory you want to save your certificate in

  2. Create a text file in that directory called template.txt with the following contents:

    [NewRequest]

    ; At least one value must be set in this section
Subject = "CN={your.domain.com}"
KeyLength = 2048
KeyAlgorithm = RSA
HashAlgorithm = sha256
;MachineKeySet = true
RequestType = Cert
UseExistingKeySet=false ;generates a new private key (for export)
Exportable = true ;makes the private key exportable with the PFX

  3. Replace {your.domain.com} with the address you'll use to access your site, e.g. "CN=localhost"

  4. Open up a command prompt and change to your certificate directory
  5. Run certreq -new template.txt RequestFileOut
  6. You'll need to know the serial number, so run certutil -store -user my to get a dump which includes the serial number
  7. Replace {SERIALNUMBER} with the serial number in the dump and {YOURDER}.crt with the name of the output file: certutil -user -store -split my {SERIALNUMBER} {YOURDER}.crt
  8. Replace {YOURDER}.crt with the name of the input file and {YOURPEM}.cer with the name of the output file: certutil -encode {YOURDER}.crt {YOURPEM}.cer
  9. Replace {your.domain.com} with your actual (test) domain name and {YOURPKCS}.pfx with the name of the output file: certutil -exportpfx -user {your.domain.com} {YOURPKCS}.pfx NoChain

After that I went to IIS Manager, Sites -> {site name} -> Bindings... (under "Edit Site"). I then clicked on https/443 because I already had it set up, Edit... and selected the new certificate from the list.

Firefox complained that my site was using a self-signed certificate so I just added it as an exception, and voilĂ ! it worked!

CJ Dennis
  • 161
0

Yeah I got that "A specified logon session does not exist" error/warning message too.

I just clicked OK a second time and it accepted it.

anthonymaw
  • 1