A reader recently asked about enabling SSL for a web application, but without the hassle of applying for a verified certificate. This article will outline the process to enable HTTPS on a Windows XP machine, but the process of creating a self-signed certificate is applicable to just about any version of Windows.

What is a certificate?
A certificate is a file that contains a set of instructions, which are read by a client computer, outlining the process of properly encrypting and decrypting data. The certificate is unique to a website, and ensures the security of the client’s data to and from a server.

To increase security, these certificates are often signed by a third party, called a certificate authority, who verifies that the server is who they say they are. Unfortunately, the process of obtaining a third-party verification costs money and takes time.

Why self-sign?
If you don’t want to pay money to have an official SSL certificate, but you still want the security of an encrypted HTTP session, then you can self-sign the certificate. Self-signing simply means that instead of having a third-party verify the integrity of the server/certificate, you’re doing it yourself. A client computer won’t recognize your self-signature as being reliable, but at least you’ll have encrypted data.

Obviously if you’re running a full-scale, professional website you’ll want to get a third-party verification, but if you’re running small-scale web applications off a personal computer for your own use, then there’s no reason to spend money for verification. Unfortunately, Windows XP doesn’t make it easy to self-sign your certificate to enable SSL on your local machine.

How to create your own SSL certificate

1. Download and install OpenSSL. The OpenSSL project doesn’t distribute compiled binary files, but Shining Light Productions offers a Windows installation (currently “Win32 OpenSSL v0.9.8g Light”), which you can download here (1MB). Its default installation is to c:\OpenSSL.
2. Open the Web Server Certificate Wizard. Open up IIS 5.1 (your results may vary in other versions), right click ‘Default Web Site’ and select ‘Properties. Click on the ‘Directory Security’ tab, and then the ‘Server Certificate…’ button. The wizard should appear.

   

3. Create a new certificate request. Once in the wizard, select “Create a new certificate”, and “Prepare the request now, but send it later”. You can fill out the remainder of the certificate request as you see fit — for the most part, leave things as their default values, but change the name of the website/organization/organizational unit/common name/country/region/etc. to whatever you prefer. When you get to the end of the wizard, it will ask you where you want to save the certificate request (default c:\certreq.txt). Save it to wherever you want, but keep the certreq.txt filename so the rest of the instructions work.
4. Create the security certificate. Open up a command-line window, and type out the following commands. Note that this assumes that your OpenSSL directory is c:\OpenSSL and your certificate request is c:\certreq.txt

   cd c:\OpenSSL\bin

   openssl genrsa -des3 -out CA.key 1024
   (Note that you will be asked for a pass phrase — you’ll have to make one up that is 4-511 character is length)

   openssl req -new -key CA.key -x509 -days 1095 -out CA.cer
   (Note that you will have to enter the pass phrase from the previous step. In addition, it will ask you the same questions that were asked from IIS — fill in the same answers or hit enter for default responses)

   openssl x509 -req -days 730 -in c:\certreq.txt -CA CA.cer -CAkey CA.key -CAcreateserial -out SelfSignedCert.cer
   (Note that you will have to enter the pass phrase from the previous two steps again)

5. If all goes well, you will have a file at C:\OpenSSL\bin\SelfSignedCert.cer that is your self-signed certificate.
6. Open the Web Server Certificate Wizard again (from step 2). You’ll note that you have a new option, called “Process the pending request and install the certificate”. Select this option and target the path/filename to C:\OpenSSL\bin\SelfSignedCert.cer.
7. Now, you can enable SSL for any application on your server by right-clicking it, going to “Properties”, the “Directory Security” tab, and the “Edit…” button at the bottom.
8. To enable SSL, select “Require secure channel (SSL)” and hit OK.

   

A note about the warning to clients
Whenever a browser goes to a self-signed HTTPS site, they will receive a notification that the security of the site cannot be validated. This warning makes sense because you signed the certificate, and you are not one of the few certificate authorities. Regardless, be sure to “accept” the warning and the site’s certificate — the web session will still be securely encrypted.

Conclusion
Once Windows Server 2003 came out, Microsoft realized how essential it was to be able to SSL on the fly, so they made it much, much easier to self-sign certificates. For those still using XP, however, you’re stuck using OpenSSL to self-sign certificates.

Keep in mind that this process is really only meant for personal applications — users don’t like to get unfriendly “unknown certificate” messages when they visit your site.