With all the security issues and hacking incidents popping up in the news lately, it has become fundamental to implement websites with security always turned on. CMS providers (such as Sitecore and Episerver) have begun to require secure connections, even for development environments. In most cases it isn't feasible to buy cryptographic certificates for every developer's local dev environment, but you can easily obtain self-signed certificates for free. These certificates are OK to be used in local environments and will cover the security requirements during the development of the solution. However, self-signed certificates should NEVER be used for production or public-facing websites.
PowerShell in Windows 10 includes the command New-SelfSignedCertificate. It provides more flexibility than the very simple "Create Self-Signed Certificate" option in IIS, and it isn't as complicated to use as MakeCert.exe. You can find a full reference for this command here.
Below I will provide a quick overview and guide for using self-signed certificates for local sites in IIS - and avoid the "invalid certificate" warning from the web browser. Before you start, make sure you have decided on a local DNS name for your site, and that you have added that entry to your local hosts file. For this example, our local site will be named "mysite.local"
Open a PowerShell window in Administrator mode, and enter the following command:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "mysite.local" -FriendlyName "MySiteCert" -NotAfter (Get-Date).AddYears(10)
This will create a self-signed certificate specific for mysite.local that is valid for 10 years. You can modify the number of years by changing the value in the AddYears function.
Once the certificate is created, you should copy it to the Trusted Root Certification Authorities store. Using Cortana search in Windows 10, type "certificate" until you see the "Manage computer certificates" option and open it. Follow these steps:
- In the left panel, navigate to Certificates - Local Computer → Personal → Certificates
- Locate the created certificate (in this example look under the Issued To column "mysite.local", or under the Friendly Name column "MySiteCert")
- In the left panel, open (but don't navigate to) Certificates - Local Computer → Trusted Root Certification Authorities → Certificates
- With the right mouse button, drag and drop the certificate to the location opened in the previous step
- Select "Copy Here" in the popup menu
Open IIS, navigate to your site, and add an https binding to it. Make sure you enter the host name, check the "Require Server Name Indication" checkbox, and select the SSL certificate "MySiteCert" (or the friendly name you entered during the certificate creation). Test your site by opening a web browser and entering "https://mysite.local/", and you shouldn't be getting any invalid certificate warnings.
You can also create "star" self-signed certificates. Suppose you have several sites named "app1.example.local", "app2.example.local", etc. It is easier to create a single certificate with the common name "example.local". To achieve this, enter the following command:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "*.example.local" -DnsName "example.local", "*.example.local" -FriendlyName "LocalStarCert" -NotAfter (Get-Date).AddYears(10)
And perform the same steps as the single domain certificate. In IIS, use the same certificate in the https binding for each site.