Announcement

Collapse
No announcement yet.

Howto: create and install a self-signed certificate for https

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Howto: create and install a self-signed certificate for https

    Creating a self-signed certificate:

    1. You need the makecert.exe tool to create a certificate, makecert.exe comes with both Visual Studio and the Windows SDK. Therefore just use either the Visual Studio Command Prompt or the Windows SDK command prompt and it will work straight out of the box as it will be included in the command prompt path.

    To download and install the Windows SDK: https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx
    makecert is included in the ".NET Development > Tools" bucket.

    Click image for larger version

Name:	installmakecert.png
Views:	1
Size:	170.3 KB
ID:	1209386

    2. From the command line generate the Certificate Authority:

    makecert -n "CN=ImperiHomeCA" -r -sv ImperiHomeCA.pvk ImperiHomeCA.cer

    3. Then generate your certificate:

    makecert -sk ImperiHomeSignedByCA -iv ImperiHomeCA.pvk -n "CN=COMPUTERNAME" -ic ImperiHomeCA.cer ImperiHomeSignedByCA.cer -sr localmachine -ss My

    where COMPUTERNAME is the name of the computer on which you will install the certificate (i.e your HS3 computer)


    Importing certificates into the Windows Certificate Store:

    4. On your HS3 computer, go to Start, then Run, type MMC and hit enter
    5. From the File menu choose Add-Remove Snap-In
    6. Select Certificates, click Add and then select Computer Acccount, accept all the default, then click OK.
    7. Drill down to "Certificates (Local Computer) > Personal", Right click on Personal, then click "All Tasks > Import"
    8. Browse to ImperiHomeSignedByCA.cer created on step 3, accept all the default, then click Finish
    9. Drill down to "Certificates (Local Computer) > Trusted Root Certification Authorities", Right click on "Trusted Root Certification Authorities", then click "All Tasks > Import"
    10. Browse to ImperiHomeCA.cer created on step 2, accept all the default, then click Finish


    Binding the certificate to port and application:


    11. From "Certificates (Local Computer) > Personal > Certificates", double click on your certificate, go to details tab, select thumbprint
    12. Copy the thumbprint value to a text editor (‎i.e. an alphanumeric string like 68 c5 80 9d cb 08 50 20 87 97 43 a4 ad 8c b5 fb bd e7 26 b1)
    13. From an Administrator command line, enter the following command:

    netsh http add sslcert ipport=0.0.0.0:8043 certhash=68c5809dcb085020879743a4ad8cb5fbbde726b1 appid={88b94b12-9683-43ee-ac20-825f76299a09}

    replacing 68c5809dcb085020879743a4ad8cb5fbbde726b1 with the thumbprint you got at step 12 without the spaces
    by default ImperiHome use 8043 as the port for https, if you want to use a different one change it as well in the above command.

    #2
    Spud

    I took a quick look at this last night. It seems that makecert has been deprecated and replaced with "New-SelfSignedCertificate" in Windows 10. I installed the Win 10 SDK and took a look at the docs for New-SelfSignedCertificate (https://technet.microsoft.com/library/hh848633) but have so far been unable to translate your makecert instructions to be compatible with New-SelfSignedCertificate. Unfortunately I no longer have admin access to any Win 7 machines, so only have my own Windows 10 boxes.

    Have you taken a look at this at all?

    Cheers
    James
    cheeryfool

    Comment


      #3
      Originally posted by cheeryfool View Post
      Spud

      I took a quick look at this last night. It seems that makecert has been deprecated and replaced with "New-SelfSignedCertificate" in Windows 10. I installed the Win 10 SDK and took a look at the docs for New-SelfSignedCertificate (https://technet.microsoft.com/library/hh848633) but have so far been unable to translate your makecert instructions to be compatible with New-SelfSignedCertificate. Unfortunately I no longer have admin access to any Win 7 machines, so only have my own Windows 10 boxes.

      Have you taken a look at this at all?

      Cheers
      James
      I saw makecert was deprecated but I thought it was still part of the Win SDK, isn't it?

      Comment


        #4
        Originally posted by spud View Post
        I saw makecert was deprecated but I thought it was still part of the Win SDK, isn't it?
        Seems to be whole new suite for Win 10
        cheeryfool

        Comment


          #5
          Originally posted by cheeryfool View Post
          Seems to be whole new suite for Win 10
          yeah, but according to this: http://stackoverflow.com/questions/3...o-2015-install
          makecert still is in the Win 10 SDK

          Comment


            #6
            Originally posted by spud View Post
            yeah, but according to this: http://stackoverflow.com/questions/3...o-2015-install
            makecert still is in the Win 10 SDK
            Seems it is. Let me try. Your Googling is better than mine!
            cheeryfool

            Comment


              #7
              Originally posted by spud View Post
              Creating a self-signed certificate:
              FYI - StartCom offers free class 1 SSL certs.

              I just got done installing their cert to kick the tires w/ ImperiHome. (Also got it for HS3's SSL, so it's dual purpose for me.)

              Comment


                #8
                Just FYI that I successfully did this with the powershell New-SelfSignedCertificate tool. Pretty easy - literally 30 seconds.

                1. Opened PowerShell in Admin mode and: New-SelfSignedCertificate -DnsName "servername" -CertStoreLocation "cert:\LocalMachine\My"
                This automatically creates AND imports the certificate to the location specified.

                2. Then I went into certificate management (steps 3-6 in original instructions), copied the certificate from personal into the Trusted Root Certification Authorities.

                3. Then I followed steps 11-13 as written.

                Jason
                Last edited by JasonJoel; November 9, 2016, 01:39 PM.

                Comment


                  #9
                  Successful at setting up https access

                  I was able to get all the way using the SDK but when I executed this
                  netsh http add sslcert ipport=0.0.0.0:8043 certhash=68c5809dcb085020879743a4ad8cb5fbbde726b1 appid={88b94b12-9683-43ee-ac20-825f76299a09} with my thumbprint (hash) I get an error "The parameter is incorrect" I assume that the appid should be as your instructions.

                  I tried it several times and I couldn't get past this point and then discovered that I had the ipport set at 0.0.0.0.8043 instead of 0.0.0.0:8043 It doesn't take much to screw things up.

                  All is good. I can now access my Imperihome plug-in on HS3 with https through my dyn account.
                  Last edited by noopara; June 18, 2017, 03:22 PM.

                  Comment

                  Working...
                  X