How to create self-signed SSL/TLS certificate?

Solved112.79K viewscertificate ssl SSL-TLS
8
1 Comment

Do we have recommendations how to easily create a self-signed SSL/TLS certificate? The latter is required to switch a DMA from HTTP to HTTPS?

Setting up HTTPS on a DMA | DataMiner Docs

Thomas Gunkel [SLC] [DevOps Enabler] Answered question 8th February 2023
Ive Herreman [SLC] [DevOps Catalyst] commented

Hi Thomas,

While it’s not an answer to your question, instead of working with a self-signed certificate, it’s better to work with a real TLS certificate that you obtain through a Certificate Authority.

*A self-signed certificate will be flagged as insecure by your computer by default and needs to be installed on all client machines.

4 Answers

5
5.36K 0 Comments

Hi Thomas

I usually use the OpenSSL tool. There are various guides online that can help you to get a self-signed certificate.

I found this website listing several options (including OpenSSL).

If you would need more help feel free to contact me.

Thomas Gunkel [SLC] [DevOps Enabler] Selected answer as best 1st February 2023
7
6.50K 0 Comments

Generating self-signed certificates can be done for development/testing purposes, but please don't use self-signed certificates on production systems. Either use an external Certificate Authority (in case your systems are externally accessible), or set up a local CA. If you have a Windows Domain Controller then you can install the Certificate Authority role (AD CS). This way you can generate certificates using a template and the certificates can be signed by the domain controller so that they are automatically trusted on every client machine joined in the domain.

Wim Bruynooghe [SLC] [DevOps Enabler] Answered question 1st February 2023
4
1.17K 0 Comments

Thanks to Laurens Moutton for providing the following instructions how to create a self-signed certificate with Powershell:

PS C:\Windows\system32> $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname 10.90.232.70 [replace IP with DMA IP-address]

PS C:\Windows\system32> $pwd = ConvertTo-SecureString -String ‘selfchosenpassword’ -Force -AsPlainText

PS C:\Windows\system32> $path = 'cert:\localMachine\my\' + $cert.thumbprint

PS C:\Windows\system32> Export-PfxCertificate -cert $path -FilePath c:\Temp\certip.pfx -Password $pwd

  • Double click on certip.pfx and add it to the trusted root certificate store.
  • In IIS Manager
    • Click on server name and then on Server certificates.
    • Click on Import and browse to certip.pfx and add it to the personal store
    • Right click on default website and select bindings. Then for 443 link this to the certificate.
  • Note: passwords that are requested is the same used in the command in $pwd
Thomas Gunkel [SLC] [DevOps Enabler] Answered question 8th February 2023
4
3.74K 0 Comments

Hi Thomas, in the IIS manager application, you can select your server, and open the "Server Certificates". In the actions pane on the right-hand side, you will see several options to create certificates: "Create certificate request", "Create Domain Certificate" and "Create self-signed certificate".

As already mentioned, a self-signed certificate is mainly intended for test purposes and not recognized by most browsers out-of-the-box. It needs to be installed on each client individually. For production use, it is recommended to use either a domain certificate for systems that are only approached internally, or a certificate issued by an official certificate authority.

Michiel Vanthuyne [SLC] [DevOps Enabler] Edited answer 1st February 2023