Home > General Administration > Other Topics > Installing a Self-Signed Certificate on Windows Server

Installing a Self-Signed Certificate on Windows Server

Self-signed certificates can be generated in Windows Server 2008 and 2012 using Internet Information Services (IIS). This is useful in testing environments to quickly generate a certificate that can be used for encrypting communication with external sources, such as Cisco Meraki devices when performing authentication. This guide will walk through how to generate a self-signed certificate using IIS on both platforms.

 

It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.

 

Note: Server 2003 can follow similar steps, however is not specifically documented here as it is nearing End-of-Life.

Overview and Use Cases

The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN and Group based content filtering. This feature allows an administrator to configure user authentication against an Active Directory Domain Controller.

When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

The MX requires Transport Layer Security (TLS) when connecting to Active Directory servers for authentication. TLS provides a secure encrypted channel protecting authentication information being passed over the network. A digital certificate must be present in the authentication servers computer certificate store to use TLS. This certificate can be issued by a Certificate Authority (Commercial, Enterprise or Standalone) or be Self-Signed. Please see the following article outlining the specific certificate attributes needed: Certificate Requirements for TLS

Server 2003 Configuration

The SelfSSL utility included in the Microsoft IIS 6 Resource Tool Kit can be used to generate a self-signed certificate in Windows Server 2003. The IIS 6 Resource Kit is available directly from Microsoft

The certificate generated using the SelfSSL utility will work with Active Directory authentication. The command string below can be used to create the the certificate.

selfssl.exe /T /K:1024 /V:365 /N:CN=myhost.mydomain.local /P:3268

  • /T: Adds the created certificate to the Trusted root certificate store on the local server.
  • /K: Specifies the RSA public key encryption to be used. Use 1024 or 2048 bit encryption.
  • /V: Sets the validity period of the certificate in days.
  • /N: Sets the Common Name (CN) value of the certificate. This should be the Fully-Qualified Domain Name or NetBIOS name of the local server.
  • /P: Specifies the port number of the service using the certificate. This should be 389 the LDAP port or 3268 the Global Catalog port.


*If IIS is not running on the machine you may be prompted to overwrite the settings for site 1, answer yes and then you'll be informed that there was an error opening the metabase. The certificate will still be generated.

Server 2008 Configuration

Install IIS

If IIS has already been installed, please continue to the next section.

  1. Open the Server Manager.

     
  2. Right-click on Roles and choose Add Roles.

     
  3. If presented with the Before You Begin page, click Next.
  4. Select the Web Server (IIS) role, and click Next.

     
  5. On the next two page, click Next. No selections required.
  6. Confirm the installation by clicking Install.

     
  7. When done, click Close.

Generate the certificate

For specifics of how to configure certificate parameters for Meraki integration, please refer to our article on Certificate Requirements for TLS.

  1. In the Server Manager, navigate down to Roles > Web Server (IIS) > Internet Information Services and select the name of the server.

     
  2. Under IIS, double-click on Server Certificates.

     
  3. Under Actions, click Create Self-Signed Certificate.

     
  4. Enter a name for the certificate, then click OK.

     
  5. The new certificate should now appear under Server Certificates.

(Optional) Confirm the certificate exists

If the certificate appeared at the end of the last section, additional confirmation should not be required. However, if desired, perform these steps to ensure the certificate exists in the correct certificate store.

  1. Open a Run prompt and enter 'certmgr.msc'.

     
  2. Browse to Trusted Root Certificate Authorities > Certificates.

     
  3. Confirm that certificate created earlier is listed.

(Optional) Uninstall IIS

Only perform the steps in this section if IIS is not desired on this server. If IIS was already installed prior to beginning this process, it is most likely safe to skip this section.

  1. Open the Server Manager.

     
  2. Righ-click on Roles and choose Remove Roles.

     
  3. If presented with the Before You Begin page, click Next.
  4. Unselect the Web Server (IIS) role, and click Next.

     
  5. Confirm uninstallation by clicking Remove.

     
  6. When done, click Close.

Server 2012 Configuration

Install IIS

If IIS has already been installed, please continue to the next section.

  1. Open the Server Manager.

     
  2. Click Manage then Add Roles and Features.

     
  3. If presented with the Before You Begin page, click Next.
  4. For Installation Type, choose Role-based and click Next.

     
  5. Select the server to install on, and click Next.
  6. Select the Web Server (IIS) role.

     
  7. Click Add Features when prompted. Then click Next.

     
  8. On the next three pages, click Next. No additional selections required.
  9. To confirm installation, click Install.

     
  10. When done, click Close.

Generate the certificate

For specifics of how to configure certificate parameters for Meraki integration, please refer to our article on Certificate Requirements for TLS.

  1. Open the Server Manager.

     
  2. Click Tools and then Internet Information Services (IIS) Manager.

     
  3. Select the name of the server.

     
  4. Under the IIS section, double-click on Server Certificates.

     
  5. Under Actions, click Create Self-Signed Certificate.

     
  6. Enter a friendly name for the certificate.
  7. Select Personal for the certificate store, then click OK.

     
  8. The certificate should now appear under Server Certificates.

(Optional) Confirm the certificate exists

If the certificate appeared at the end of the last section, additional confirmation should not be required. However, if desired, perform these steps to ensure the certificate exists in the correct certificate store.

  1. Open a Run prompt.
  2. Enter 'certmgr.msc'.

     
  3. Navigate to Trusted Root Certification Authorities > Certificates.

     
  4. Verify that the certificate created earlier is listed.

Uninstall IIS

Only perform the steps in this section if IIS is not desired on this server. If IIS was already installed prior to beginning this process, it is most likely safe to skip this section.

  1. Open the Server Manager.

     
  2. Click Manager then Remove Roles and Features.

     
  3. If presented with the Before You Begin page, click Next.
  4. Select the server to remove IIS from, then click Next.
  5. Unselect the Web Server (IIS) role, and click Next.

     
  6. On the next page, click Next.
  7. To confirm uninstallation, click Remove.

     
  8. When done, click Close.
You must to post a comment.
Last modified
15:18, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1557
Powered by MindTouch ®

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case