This post a collection of information which I found all over the internet. I’m posting it as a reference for myself. I need to set up a development environment where a team of developers can develop multiple projects which use and test Web applications using HTTPS.
Step 1: Create a root cert. This will be used to share in the team.
Here is a cmd file which creates a root cert for a parameter
Using makecert and pvk2pfx:
set PATH="C:\Program Files (x86)\Windows Kits\8.1\bin\x64\" makecert.exe -r -n "CN=%1" -pe -sv %1.pvk -a sha1 -len 2048 -b 01/01/2014 -e 01/21/2030 -cy authority %1.cer pvk2pfx.exe -pvk %1.pvk -spc %1.cer -pfx %1.pfx
Or using openssl:
set PATH="C:\Program Files (x86)\Git\bin\" openssl genrsa -des3 -out %1.key 4096 openssl req -new -x509 -days 365 -key %1.key -out %1.crt
This cmd can be used as follows:
createRootCert.cmd TeamDevelopmentRoot
Step 2: Create a project cert.
Now that the root cert is created, each project requires its own cert. It is very IMPORTANT that the cert name matches the project IIS URL!
Using makecert and pvk2pfx:
set PATH="C:\Program Files (x86)\Windows Kits\8.1\bin\x64\" makecert.exe -iv %2.pvk -ic %2.cer -n "CN=%1" -pe -sv %1.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2020 -sky exchange %1.cer -eku 1.3.6.1.5.5.7.3.1 pvk2pfx.exe -pvk %1.pvk -spc %1.cer -pfx %1.pfx
Or using openssl:
set PATH="C:\Program Files (x86)\Git\bin\" openssl genrsa -des3 -out %1.key 4096 openssl req -new -key %1.key -out %1.csr openssl x509 -req -days 365 -in %1.csr -CA %2.crt -CAkey %2.key -set_serial 01 -out %1.crt openssl pkcs12 -export -out %1.pfx -inkey %1.key -in %1.crt
This can be used like this:
createProjectCertFromRoot.cmd webprojectx TeamDevelopmentRoot
Step 3: Now add the certs to the operating system.
Open mmc and File/Add remove snap-ins, choose Certificates
Choose Computer account
In Trusted Root Certication Authorities/Certificates, right click and select All Tasks/ Import…
Choose the TeamDevelopmentRoot.cer file and add
Now select Personal/Certificates, right click and Import…
This time select the webprojectx.pfx file. NOTE: It is important to choose the pfx file!!!
Double click on this file and check that the certificate is OK.
Step 4: Use the certs in IIS:
Open the IIS and create a Website. The Host name must match the cert.
In the application pool, make certain your using an account with the proper rights, for example LocalService. Also check that the IIS_IUSR group have access to the file system.
Step 5: Map your host to 127.0.0.1 in the hosts file. (C:/Windows/System32/drivers/etc)
Add the following:
127.0.0.1 webprojectx
Now you can test it in the Browser:
And add it to your trusted sites:
Now that it works, you can share the certs with your team and develop together using HTTPS. Every time you create a new project, you just require a single cert which inherits from the root cert to be added to the personal certs. This can be shared among the team as all have installed the root cert.
Next step: implement Authentication and Authorization .
Links:
http://pfelix.wordpress.com/2012/02/26/enabling-https-with-self-hosted-asp-net-web-api/
http://woloski.com/2012/08/04/securing-aspnet-webapi-with-clientcerts/
http://stackoverflow.com/questions/15205814/net-client-connecting-to-ssl-web-api
http://www.networknet.nl/apps/wp/archives/2272
http://technet.microsoft.com/en-us/library/cc732443.aspx
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://slproweb.com/products/Win32OpenSSL.html
http://pages.cs.wisc.edu/~zmiller/ca-howto/
Software Engineering 
[…] IIS HTTPS configuration for Team development […]