Self-signed certificates can be generated in Windows Server 2008 and 2012 using Internet Information Services (IIS). This is useful in testing environments to quickly generate a certificate that can be used for encrypting communication with external sources, such as Cisco Meraki devices when performing authentication. This guide will walk through how to generate a self-signed certificate using IIS on both platforms.
It is important to remember that self-signed certificates are not recommended for production environments. A Certificate Authority (CA) signed certificate is more secure and is considered best practice.
Note: Server 2003 can follow similar steps, however is not specifically documented here as it is nearing End-of-Life.
The Cisco Meraki MX Security Appliance supports Active Directory authentication with Client VPN and Group based content filtering. This feature allows an administrator to configure user authentication against an Active Directory Domain Controller.
When Active Directory authentication is configured, the MX queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.
The MX requires Transport Layer Security (TLS) when connecting to Active Directory servers for authentication. TLS provides a secure encrypted channel protecting authentication information being passed over the network. A digital certificate must be present in the authentication servers computer certificate store to use TLS. This certificate can be issued by a Certificate Authority (Commercial, Enterprise or Standalone) or be Self-Signed. Please see the following article outlining the specific certificate attributes needed: Certificate Requirements for TLS
The SelfSSL utility included in the Microsoft IIS 6 Resource Tool Kit can be used to generate a self-signed certificate in Windows Server 2003. The IIS 6 Resource Kit is available directly from Microsoft.
The certificate generated using the SelfSSL utility will work with Active Directory authentication. The command string below can be used to create the the certificate.
selfssl.exe /T /K:1024 /V:365 /N:CN=myhost.mydomain.local /P:3268
*If IIS is not running on the machine you may be prompted to overwrite the settings for site 1, answer yes and then you'll be informed that there was an error opening the metabase. The certificate will still be generated.
If IIS has already been installed, please continue to the next section.
For specifics of how to configure certificate parameters for Meraki integration, please refer to our article on Certificate Requirements for TLS.
If the certificate appeared at the end of the last section, additional confirmation should not be required. However, if desired, perform these steps to ensure the certificate exists in the correct certificate store.
Only perform the steps in this section if IIS is not desired on this server. If IIS was already installed prior to beginning this process, it is most likely safe to skip this section.
If IIS has already been installed, please continue to the next section.
For specifics of how to configure certificate parameters for Meraki integration, please refer to our article on Certificate Requirements for TLS.
If the certificate appeared at the end of the last section, additional confirmation should not be required. However, if desired, perform these steps to ensure the certificate exists in the correct certificate store.
Only perform the steps in this section if IIS is not desired on this server. If IIS was already installed prior to beginning this process, it is most likely safe to skip this section.