Creating a Self-Signed Wild Card SSL Certificate for Your Development Environment

Secure Socket Layer (SSL) is a security standard used to ensure secure communication between a web server and browser and used in most modern web application. As a developer it is prudent to setup your development environment to closely resemble production as much as possible, including security concerns. However, getting a full fledged CA SSL certificate for you development environment might not be the most cost-effective solution. Therefore post summarizes the steps I take to create a self signed wild card certificate to be used in the internal environments. My guide is based on this excellent post.

Create the Certificate

In order to create the certificate we would be using the MakeCert.exe tool which can be found at C:\Program Files (x86)\Windows Kits\8.1\bin\x64\. This command creates the certificate and adds it to the logged in user's personal certificate store:

makecert -r -pe -e 01/01/2099 -eku -ss My -n CN="*.wunder.local" -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 

Some of the notable flags:

  • -r - Indicates that we're creating a self-signed certificate.
  • -pe - Includes the private key in the certificate and makes it exportable.
  • -e - The validity period of the certificate.
  • -n - The subject's certificate name - specify the wildcard url.

    Create Certificate

Verify Creation

  1. Open a new Microsoft Management Console (mmc.exe).
  2. Add the Certificates Snap-In for My Account.
  3. Under the Personal node, ensure that the newly created certificate exists.

    Verify Certificate

Export Certificate

Next we export the certificate, one with the private key (pfx) and one without (cer).

  1. Within the same snap-in, right click on the certificate and select export.

    Export Certificate Menu

  2. Select the option to export the private key.

    Export Pfx Wizard 1

    Export Pfx Wizard 2

  3. Provide a password to protect the private key.

    Export Pfx Wizard 3

    Export Pfx Wizard 4

  4. Provide a location to export the file.

    Export Pfx Wizard 5

    Export Pfx Wizard 6

  5. Next let export the (.cer) file. Let's repeat the steps 1-4 but this time opting out of exporting the private key.

    Export Cer Wizard 1

    Export Cer Wizard 2

    Export Cer Wizard 3

    Export Cer Wizard 4

    Export Cer Wizard 5


Now, we install the pfx on the web server and each of the client machines consuming the web application.

Web Server

  1. The easiest way to install the certificate is to right-click the certificate within explorer and select Install PFX.

    Install Pfx Wizard 1

  2. This would launch the Certificate Import Wizard. Select the Local Machine as the certificate store.

    Install Pfx Wizard 2

    Install Pfx Wizard 3

  3. Provide the password for the private key.

    Install Pfx Wizard 4

  4. Ensure that the certificate is installed under the Personal store.

    Install Pfx Wizard 5

    Install Pfx Wizard 6

    Install Pfx Wizard 7

Navigate to Internet Information Services (IIS) Manager and make sure that the certificate is visible.

Verify Certificate in IIS

Bind the certificate to the SSL Port and configure the web application as necessary.

Client Machines

Each of the client machines accessing the web application would have to trust the new certificate. This is done by adding the certificate to the the Trusted Root Certification Authorities store.

  1. On the client machine, right-click the certificate and selecting Install from the menu. On the wizard select the Local Machine as the store.

    Install as Trusted Authority 1

  2. Add the certificate to the Trusted Root Certification Authorities store.

    Install as Trusted Authority 2

    Install as Trusted Authority 3

    Install as Trusted Authority 4

Final Thoughts

  • As suggested in the original article, this would be a good time check-in the certificates into source control so that the entire development team has access to the same files.
  • While Makecert.exe was used to create the certificate, there are other options such as OpenSSL that would work just the same.


comments powered by Disqus