I recently set up a new system to replace my Web and email server. Eventually, I'll get around to moving the old system's Secure Sockets Layer (SSL) server certificate to the new system, but the old system—an e-commerce system—will need that certificate for a few months to handle secure transactions. Therein lies a problem: How do I get a new SSL server certificate for the new system?
I'm not about to give VeriSign $349 just to acquire an SSL certificate that I'll need for only a few months. But if I want to access my new email server's Web mail feature from the road, SSL is a must. So how can I get a temporary certificate? I've set up Windows-based certificate servers in the past, but setting up a certificate server to generate one certificate is a time-consuming pain. Resigned to wasting an hour or two, I reached for the server CDs—and then I remembered something. I'd just installed the Microsoft Internet Information Services (IIS) 6.0 Resource Kit, and one of its tools had something to do with SSL. A quick check with the resource kit revealed a command-line tool called SelfSSL, and it turned out to be just what I needed.
A Little Background
Apparently, someone at Microsoft had the same need that I did: a way to create a simple self-signing SSL certificate and automatically install it on a Web server. If you're wondering what good a self-signed SSL certificate does, recall that SSL is supposed to accomplish two things: First, it lets you carry on an encrypted conversation over the Internet between your Web browser and a Web server, and second, it lets you verify that you're talking to a particular Web server. Of course, self-signed SSL certificates don't accomplish that second goal, but that's not a problem in this case. I just want email functionality without the danger of someone sniffing passwords. Again, it's just a short-term solution.
Making It Work
You run SelfSSL on the server that you want the certificate on. The tool takes several options, but I used three— /t, /v, and /n—as follows:
selfssl /t /v:200 /n:cn=web2.minasi.com
The /n option—the most important—lets you tell Self-SSL what to put in the certificate. In my case, I simply needed a certificate for a server named web2.minasi.com verifying that this server is indeed called "web2 .minasi.com." To do that, as you can see, I add
cn=<server-DNS-name>
after the /n option.
But what if I'm running more than one Web site on a given Web server? Or, what if I have just one Web site, but its name isn't web2.minasi.com—even though it's sitting on a system named web2.minasi.com? Either of these scenarios will generate a browser error message. To work around these potential problems, I can add the /s (for site) option. IIS identifies its sites internally with a number; simply type that site number after the /s option, and the certificate will match the site's name rather than the server's name.
The /t option saves you a step by automatically installing the new self-signed SSL certificate into the Web server's certificate store. The /v option specifies the number of days the certificate will be valid. I estimated that I'd decommission my old Web server within 6 or 7 months, so I specified /t:200. The option's default value is 7 days, which is probably adequate for those who simply want to set up a Web server for testing.
SelfSSL has just three more options—/k, /p, and /q. The /k option lets you specify a key length in bits—the default is 1024, and that's fine for me. The /p option lets you set the SSL port number—the default is 443, which is what most systems use for SSL, so the option's probably not usually necessary. The /q option tells SelfSSL to run quietly, with no output.
Right Time, Right Place
SelfSSL came in handy just when I needed it. From the moment I realized I could use SelfSSL to create a temporary certificate to the moment I fired up the tool and did the job, only 4 minutes elapsed. You gotta love that kind of service!
