Since I rarely need to create a self-signed certificates, I typically forget the necessary steps. So, perhaps this entry is more for my own use but it may be deemed useful to somebody else out there.

General Overview

In order to set up IIS to have a self-signed cert to be used your .NET application, the following steps are needed:
  1. Download Pre-requisite Software
  2. Create the Self-Signed Certificate
  3. Assemble the Personal Information Exchange File
  4. Import into the Key Store
  5. Set the Permissions
  6. Test it out
Pre-requisite Software

Before I get into the details, you should download these required software:

makecert Utility that will enable you to generate your self-signed certificate. This will be found within the Windows SDK. pvk2pfx Another utility that will copy your public key and private key information and place into a .pfx file (Personal Information Exchange) for use with signing. This will also be found within the Windows SDK. winhttpcertcfg Utility required for Windows 2003 users to set the appropriate permissions correctly.Create Self-Signed Certificate

From the command line help for makecert:

-r Create a self signed certificate -a The signature algorithm. (Default to 'md5') -pe Mark generated private key as exportable -n Certificate subject X500 name (eg: CN=Fred Dews) -sky Subject key type . -sv Subject's PVK file; To be created if not presentGiven the above, here's an example of how I created a certficate:

makecert -r -a sha1 -pe -n "CN=Fedlet" -sky exchange -sv fedlet.pvk fedlet.cer

Hmmm... can you see where I'm going with this in the near future. :)

Assemble Personal Information Exchange File

From the command line help for pvk2pfx:

-pvk input PVK file name. -spc input SPC file name. -pfx output PFX file name.Using the above, let's continue with our example:


pvk2pfx -pvk fedlet.pvk -spc fedlet.cer -pfx fedlet.pfx

At this point, we have the necessary file to import into our key store.

Import into the Key Store

The Microsoft Management Console (mmc.exe) has an Add-In called "Certificates" which we'll use to import the public/private keys into the appropriate key store.
  1. Start MMC
  2. Add the Certificates Add-In. Be sure to specify Computer account for managing certificates.
  3. Navigate to the Path > Personal folder.
  4. Within the menu, choose Action > Import...
  5. Specify your .pfx file (for example, fedlet.pfx) and click Finish.
  6. Provide a friendly name for this certificate by viewing its properties and entering a value.
Setting the Permissions

Once you have your public/private key in the local machine's personal key store, you have to ensure Internet Information Server (IIS) can access it correctly.

For Windows Vista and 2008:
  • Within MMC's menu, choose Action > All Tasks > Manage Private Keys...
  • Add the NETWORK SERVICE user account and specify Allow Read permissions
For Windows 2003:
  • Run the command line utility winhttpcertcfg.exe mentioned earlier. For our example, we would run it as follows:winhttpcertcfg -g -c LOCAL_MACHINE\MY -s Fedlet -a "Network Service"
Test it out

Now that you've done all that, how do you know it's done? Well, in the latest nightly builds of the .NET Fedlet, you can try out the export metadata feature that will not only output your metadata, but if the extended metadata has the friendly name specified for the signing certificate alias, it will include the public key as well as sign the XML.


To try it out: