Redbex Reference Manual

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: Administrator's manual > Certificates

Using a self signed certificate

Warning: Self signed certificates are only useful under specific circumstances, e.g. when testing in new environments. Self signed certificates should never be used in production environments!

Self signed certificates can be created with the makecert.exe utility that is part of the Windows SDK (which is automatically installed if you have Visual Studio but can also be manually downloaded from Microsoft). makecert.exe can usually be found in C:\Program Files (x86)\Windows Kits\8.1\bin\x64\makecert.exe.

For managing certificates in Windows use the Microsoft Management Console (mmc.exe) with the Certificates Snap-In.

Step 1: Create a certificate authority certificate

Run cmd.exe as Administrator and use following command line to create a certificate for your own root certification authority:

makecert -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Redbex Developer Authority" -ss my -sr localmachine

Make sure you remember the passwords for which you are prompted. Replace the CN= with your preferred name for the root certification authority.

Open the Window's Management Console. Add the Certificate Snap-In for the local machine. The just created certificate can be found under Personal > Certificates

Using Drag&Drop move that certificate to Trusted Root Certification Authorities > Certificates

At this point you have created and installed your own trusted root certification authority.

Step 2: Create a certificate signed by that root authority

Run cmd.exe as Administrator and use following command line to create a certificate signed by the root certification authority we created above:

makecert -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

Make sure that the CN= matches the DNS name actually used by clients to connect to the server e.g. myserver.mydomain.com

Open the Window's Management Console (mmc.exe). Add the Certificate Snap-In for local machine.

The newly created certificate can be found in Personal > Certificates

Now we need to get the thumbprint of the certificate. Double click the certificate in the MMC. In the certificate window go to the details tab. get the value of the Thumbprint field there. Copy it to notepad and remove all spaces.

Step 3: Binding the certificate to a port

Windows must know which certificate to use when it gets a HTTPS request on a specific port. Binding a certificate to a port is done with the command line tool netsh.exe, you must run netsh.exe as Administrator.

netsh http add sslcert ipport=0.0.0.0:443 certhash=‎8fe8113bc8675339cf415849e6748123621a172 appid={00000000-0000-0000-0000-000000000000}

If you want to unbind the certificate from the port at a later time (e.g. when removing the test certificate and installing a new certificate you can use following command line:

netsh http delete sslcert ipport=0.0.0.0:443

For certhash use the thumbprint of the certificate. Make sure you bind to the right port (usually 443)