How to Create Self-Signed SSL Certificates in Windows 11

Enterprises face constant security threats from bad actors online. One principal tool to combat these threats is to implement always-on security using SSL encryption for all web traffic (HTTPS). CMS providers (such as Sitecore, Optimizely, and Adobe) require secure connections, even for development environments.

In most cases, buying cryptographic certificates for every developer's local dev environment isn't feasible, but you can easily obtain self-signed certificates for free. These certificates are OK to be used in local environments and will cover the security requirements during the solution's development. However, self-signed certificates should NEVER be used for production or public-facing websites.

PowerShell in Windows 11 includes the command New-SelfSignedCertificate. It provides more flexibility than the straightforward "Create Self-Signed Certificate" option in IIS, and it isn't as complicated to use as MakeCert.exe.

Below, I will provide a quick overview and guide for using self-signed certificates for local sites in IIS and avoiding the "invalid certificate" warning from the web browser. Before you start, make sure you have decided on a local DNS name for your site and that you have added that entry to your local hosts file. For this example, our local site will be named mysite.local.

Open a PowerShell window in Administrator mode and enter the following command:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "mysite.local" -FriendlyName "MySiteCert" -NotAfter (Get-Date).AddYears(10)

This will create a self-signed certificate specific for mysite.local that is valid for 10 years. You can modify the number of years by changing the value in the AddYears function.

Once the certificate is created, copy it to the Trusted Root Certification Authorities store. Using the search function in Windows 11, type "certificate" until you see the "Manage computer certificates" option and open it. Follow these steps:

1. In the left panel, navigate to Certificates - Local Computer → Personal → Certificates

2. Locate the created certificate (in this example look under the Issued To column mysite.local, or under the Friendly Name column MySiteCert)
3. In the left panel, open (but don't navigate to) Certificates - Local Computer → Trusted Root Certification Authorities → Certificates
4. With the right mouse button, drag and drop the certificate to the location opened in the previous step
5. Select "Copy Here" in the popup menu

Open IIS, navigate to your site, and add an HTTPS binding. Make sure you enter the hostname, check the "Require Server Name Indication" checkbox, and select the SSL certificate MySiteCert (or the friendly name you entered during the certificate creation). Test your site by opening a web browser and entering https://mysite.local/, and you shouldn't get any invalid certificate warnings.

You can also create "star" self-signed certificates. Suppose you have several sites named app1.example.local, app2.example.local, etc. It is easier to create a single certificate with the common name example.local. To achieve this, enter the following command:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "*.example.local" -DnsName "example.local", "*.example.local" -FriendlyName "LocalStarCert" -NotAfter (Get-Date).AddYears(10)

Perform the same steps as for the single domain certificate. In IIS, use the same certificate in the HTTP binding for each site.