Massoud Mazar

Sharing The Knowledge

NAVIGATION - SEARCH

Adding and removing Self Signed Certificates in IIS

It took me a little bit to get a handle of creating and using Self Signed Certificates for IIS on a Windows Server 2012. Problem was not so much about running a couple of commands to create the certificate, but more related to where things are and what to do when things go wrong.

This page provides 2 commands to create a self signed certificate to be used by IIS. I had to make the key length equal to 2048 so Chrome browser does not complain about the keys:  

cd C:\Program Files\Microsoft SDKs\Windows\v7.0\bin\
makecert -pe -n "CN=TestRootCA" -ss personal -sr LocalMachine -sky signature -r "TestRootCA.cer" -len 2048
makecert -pe -n "CN=contoso.skyspace.com" -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in "TestRootCA" -is personal -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 SPFTestCert.cer -len 2048 

As you can see, I had to install Windows SDK for Windows 7 so I get "makecert" tool. You also need to replace "contoso.skyspace.com" with your own host name. Now, if you are like me and experiment with stuff by changing parameters and re-executing these commands, you may get this error at some point:

Error: There are more than one matching certificate in the issuer's personal cert store

Then you may try the "certmgr" tool, and even Internet Options to see if you can remove the offending certificate, but could not find it. Looks like it is possible to find and remove "LocalMachine" certificates using PowerShell commands like these:

get-item cert:\LocalMachine\Personal\* 
Remove-Item -Path cert:\LocalMachine\Personal\D4CF60A2CE8173167547375CB4F6A14856BDD1B7

First command lists all certificates in Personal store of LocalMachine, and second command deletes one of the certificates using its ID returned by first command.

Add comment