Self-signed Certificate
From MgmtWiki
Contents
Full Definition or Meme
An Authority root-of-trust is a Self-signed Certificate.
Context
Federation or public chain of trust is rooted in a Self-signed Certificate.
Problem
- Self-signed certificates are not trusted by client computer's browsers until they are placed in the Trusted Root of either the Current User or Local Computer.
- Just to further confuse the issue the names of the folders in Windows APIs or Powershell DOES NOT MATCH the names used in the Certificates Snap-in.
- The "Personal" folder is "My"; This is where a certificate and key must be to be trusted by the server.
- The "Trusted Root Certificate Authorities" folder is "Root"; This is where a certificate must be to be trust by a client, like the browser.
Solution
It is important is most cases that you understand the location where the cert will be installed.
on Windows Powershell
- Context - you should run powershell with admin credentials. New-SelfSignedCertificate documentation
- Navigate to targeted directory. for example PS C:\WINDOWS\system32> cd cert:\currentUser\my
- A directory listing of that particular directory will show all of the certs used create a root of trust.
- PS Cert:\currentUser\my> New-SelfsinedCertificate -DnsName "trustregistry.us" -KeyUsage DigitalSignature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 2048
- This command does not specify the NotAfter parameter. Therefore, the certificate expires in one year.
PS Cert:\currentUser\my> dir D4* | select -property * PSPath : Microsoft.PowerShell.Security\Certificate::currentUser\my\D48B2564777B0769C2E000E0745CB694FC2682F8 PSParentPath : Microsoft.PowerShell.Security\Certificate::currentUser\my PSChildName : D48B2564777B0769C2E000E0745CB694FC2682F8 PSDrive : Cert PSProvider : Microsoft.PowerShell.Security\Certificate PSIsContainer : False EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)} DnsNameList : {trustregistry.us} SendAsTrustedIssuer : False EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty PolicyId : Archived : False Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} FriendlyName : IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName NotAfter : 2021-05-20 10:22:22 AM NotBefore : 2020-05-20 10:02:22 AM HasPrivateKey : True PrivateKey : PublicKey : System.Security.Cryptography.X509Certificates.PublicKey RawData : {48, 130, 3, 45...} SerialNumber : 2C85075BA270549C4E819F275880F6DC SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName SignatureAlgorithm : System.Security.Cryptography.Oid Thumbprint : D48B2564777B0769C2E000E0745CB694FC2682F8 Version : 3 Handle : 2166495813200 Issuer : CN=trustregistry.us Subject : CN=trustregistry.us
on Windows with IIS
- Context Windows IIS 7 that contains the service that needs a SSL certificate (will go to localmachine\my
- Click on the Windows icon in the taskbar, Search for IIS, and open Internet Information Services (IIS) Manager.
- Click on the name of the server in the Connections column on the left. Double click the Server Certificates icon.
- In the Actions column on the right hand side, click on Create Self Signed Certificate.
- Enter the friendly name you wish to use to identify the certificate, and then click OK.
- You now have an IIS Self Signed Certificate, valid for one year, which will be listed under Server Certificates. The common name, is the server name.
- PS Cert:\currentUser\my> New-SelfsinedCertificate -DnsName "trustregistry.us" -KeyUsage DigitalSignature -KeyExportPolicy Exportable -KeyAlgorithm RSA -KeyLength 2048
- This command does not specify the NotAfter parameter. Therefore, the certificate expires in one year.