Hello! I hope you’re all right. In the previous post, we learned how to generate self-signed SSL certificates on Windows Server 2019. Additionally, we saw that these certificates allow us to test the https protocol on our web pages. This is very useful for intranet use or web development. However, we saw that opening the page generated a security error message. It is necessary to modify the security policies of the browser and add an exception to the website to continue browsing. Even so, the browser still appeared a warning. To me in particular, this warning is really uncomfortable. These errors are generated because the certificates are not really valid. They are not signed by a trusted certifier but are self-signed by the local machine itself. That’s why I’m going to show you how to generate error-free SSL certificates.
Create a virtual certifier entity.
In order to generate these certificates, it is necessary to use an opensource program called mkcert. Let me explain how this application works. Instead of generating self-signed certificates, it creates a local virtual certification authority that is added to the trusted root certificates authorities. Since the function of the program has been explained, please go to the download page to select the executable file.
This file is the program itself, no need to install or download other dependencies. We only have to run it using a Command Prompt. For ease of use, I recommend locating the downloaded file in a dedicated folder and renaming it to mkcert.exe. To do this, just click on the newly downloaded file, right-click and select properties. Furthermore, in the box corresponding to the file name, enter the new value. Then press OK to save the changes.
Once downloaded the file you have to open a Command Prompt. With this in mind, press the Win+R combination, and in the box type CMD:
Then in Command Prompt, you have to use the cd command to navigate to the folder where you placed the file. Then execute the following command:
mkcert -install
the system will display a security warning indicating that a trusted root certificate will be installed for your certifier body. Just accept to install the certificate.
If everything is OK, you will see a confirmation message on the console with the warning that firefox support is not yet available.
Generating certificates with mkcert
To generate a certificate we just have to type the command mkcert followed by the domain name for which we want to generate the certificate. For example, if we want to generate it for localhost site, we will use the following syntax:
mkcert localhost
Executing this command will result in a digital certificate and a private key file in PEM format. This class of certificates is most commonly used on Mac, Linux, Apache or Nginx. But to generate a certificate suitable for our Windows platform, it is necessary to generate it in PKCS 12 format. With this intention, you have to add the parameter -pkcs12, so that the syntax will be this way:
mkcert -pkcs12 localhost
When entering the command, we will see the following message in the cmd:
Please note that the encryption password is changeit, as seen in the Command Prompt. This password will be asked for later.
Installing the certificate.
In the first place, you have to locate the certificate you just generated. This is in the folder where you saved the program. Its name is localhost.p12. Once there, double click on it to start the installation. Select Local Machine and press Next to continue the installation.
The wizard will ask you to confirm the certificate you want to import.
Remember I asked you to remember the encryption password? Then it’s time to add it to install the certificate.
On the next screen choose the first option.
Then check the options and press finish to complete the import.
A message will confirm that the process has been successfully completed.
Binding the SSL certificate
Once we have created and installed the certificate, it is time to bind it to the website. To do this, we will use the Internet Information Service Manager. To know everything about this tool I invite you to see our tutorial about IIS. First of all, we will check if the certificate is correctly installed. With this in mind, in the left column select the server, and in the central panel choose Server Certificates. Then, in the right column, place the action Open Feature
The list of available certificates will open. For now, we’ll only see the one we just added.
Finally, we will bind the certificate to the website. To see how it’s done, check the link above. Here I only show you the correctly added certificate.
Testing the certificate on the website
In the same menu above, please select Browse *.443 (https). This action will launch the web page, using the https protocol that allows the SSL certificate.
In the web browser, we will see the indicative padlock that we are using https.
Well, finally we have learned how to generate SSL certificates that do not cause security errors. It is important to note that these certificates are only valid on our local machine. So if we use them on other computers will not work. However, it is of tremendous help to develop locally. Personally, these articles that involve more research are my favorites. Before I say goodbye, I would like to invite you to our Telegram channel.
