How can I create self-signed certificate that is stronger than SHA-1?
Sure. The makecert
utility that is part of the Windows SDK can do that:
makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=localhost cert.cer
The -a
parameter sets the hash algorithm. This spits out a PVK and a DER .cer file. You can of course also change the common name to anything you'd like, I just used localhost as an example. You can combine these into a PFX (what IIS prefers to use when importing a certificate) using pvk2pfx
(also part of the SDK):
pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx
This just takes the two files makecert
generated and combines them into a PKCS12 .pfx file.
With the resulting PFX file, you would open up IIS and import it under Server Certificates, then change your site's bindings to use the new certificate.
I am using a locked-down Windows 7 Enterprise computer at work and as such I am unable to install the Windows SDK to get access to makecert
. Here's how I created my sha256 self-signed certificate (taken from https://core.telegram.org/bots/self-signed):
- Decide which directory you want to save your certificate in
-
Create a text file in that directory called
template.txt
with the following contents:[NewRequest] ; At least one value must be set in this section Subject = "CN={your.domain.com}" KeyLength = 2048 KeyAlgorithm = RSA HashAlgorithm = sha256 ;MachineKeySet = true RequestType = Cert UseExistingKeySet=false ;generates a new private key (for export) Exportable = true ;makes the private key exportable with the PFX
Replace
{your.domain.com}
with the address you'll use to access your site, e.g."CN=localhost"
- Open up a command prompt and change to your certificate directory
- Run
certreq -new template.txt RequestFileOut
- You'll need to know the serial number, so run
certutil -store -user my
to get a dump which includes the serial number - Replace
{SERIALNUMBER}
with the serial number in the dump and{YOURDER}.crt
with the name of the output file:certutil -user -store -split my {SERIALNUMBER} {YOURDER}.crt
- Replace
{YOURDER}.crt
with the name of the input file and{YOURPEM}.cer
with the name of the output file:certutil -encode {YOURDER}.crt {YOURPEM}.cer
- Replace
{your.domain.com}
with your actual (test) domain name and{YOURPKCS}.pfx
with the name of the output file:certutil -exportpfx -user {your.domain.com} {YOURPKCS}.pfx NoChain
After that I went to IIS Manager, Sites -> {site name} -> Bindings... (under "Edit Site"). I then clicked on https/443 because I already had it set up, Edit... and selected the new certificate from the list.
Firefox complained that my site was using a self-signed certificate so I just added it as an exception, and voilà! it worked!