Can I use Active Directory as a CA for creating test SSL certificates for IIS?

We have an internal test version of our website, which is available (via internal DNS zones) as www.mysite.com.test

I'd like to create an SSL certificate for www.mysite.com.test, so that our testers don't get an invalid certificate warning (the 'real' certificate is bound to www.mysite.com)

I know how to create self-signed certs using OpenSSL, but I'm wondering if there's some way of associating the certificate authority with our Active Directory domain, so that any user on a PC that's a member of the domain will accept the self-signed cert without having to explicitly install it (or explicitly install the self-signing certificate authority as a trusted authority)

Any ideas?


You can add trusted roots through group policy. So make a self signed cert, roll this out as a trusted root, then any cert you sign with it will be trusted.

Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

Setting up the MS Certificate Authority is not required


If you have a server running the AD CS role issue a certificate, then it isn't self-signed anymore, it's issued by your internal CA. To answer the larger point, yes you can do this. You'll have to install the Active Directory Certificate Services role and create/distribute te certificates from there. No need to touch OpenSSL for this use case.


To answer your question exactly: no, you can't create a self-signed cert using Active Directory. However, I think your question is mixing different things.

  • Self-signed certificates are NOT issued by an authority (that's why they are self signed)
  • You can integrate a certificate authority with Active Directory in order to automatize server and users certificates.

For creating self-signed certs, you have plenty of options. The simplest one, if you're a windows shop, is to do it through IIS (see this: http://technet.microsoft.com/library/cc753127%28WS.10%29). You can also do it with OpenSSL (quite messy but works), with the makecert.exe tool that comes with the .NET SDK or with a number of similar tools (I use my own tool for this but, that's just me).

For integrating a CA with AD, the simplest way is to install the certificate services role on a machine and configure it for AD integration (although in your case, it doesn't seem to be a necessity unless you want to use it for other things).

Finally, you might want to create your own root that isn't integrated with AD. Unless you have to work with client certificate authentication, have many different servers (with different names) that you want to use in testing (and perhaps with automated testing) or if you want to be able to test some aspect of your application that uses special certificate properties or chaining, it's probably not worth the trouble.

In your case, assuming I understood it correctly and all you want to do is test your web app with a certificate, all I would do is generated a self-signed cert (using whatever tool you like best) and then install that certificate in the correct store on your test machine (to avoid certificate warnings and errors)