I'm trying to create a self-signed wildcard SSL certificate for use on a number of development and test servers running IIS 6. Following various guides has led to a couple ways of generating the certificates, but I haven't had any luck getting it to work. The most successful ways I've had were following this OpenSSL guide and using makecert.exe like so:

makecert.exe -r -b 01/01/2009 -e 01/01/2042 -sr LocalMachine -ss MY -a sha1 -n CN="*.example.com" -sky exchange -pe -eku 1.3.6.1.5.5.7.3.1 -sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider" wildcard.cer

Both of which generate certificates that IIS 6 will accept, but when I actually try to view the site I get the following error in firefox:

Data Transfer Interrupted

The connection to dev.example.com was interrupted while the page was loading.

IE just gives:

Internet Explorer cannot display the webpage

Most likely causes:

• You are not connected to the Internet.
• The website is encountering problems.
• There might be a typing error in the address.

This error happens whether I try to access it by domain name, machine name, localhost, local ip, or loopback ip.

So...how can I create a self-signed wildcard cert that IIS 6 will work with? Or how can I fix the problems I'm experiencing with the ones I've already created?

You can use the IIS 6 Resource Kit provided by MS, an command line app called SelfSSL. It can generate the SSL key and import it into your IIS installation.

IIS 6 Resource Kit

you can do a wildcard certificate with *.domain.local and multiple ssl protocols by using the c:\inetpub\adminscripts adsutil.vbs set w3svc[siteid]\SecureBindings ":443:name.domain.local"

Did you realize that you would need to change from "example.com" to some thing more appropriate to your situation ("localhost" might be one of them during testing).

For IIS 7 - there is a wzard to do this. It takes about 30 seconds to setup.

For IIS 6 - it's a bit trickier. It takes about 30 minutes to setup.

Which one are you using?

I strongly recommend moving to IIS 7 - it is very foreign at first, but they've made a lot of improvements.

Given that you probably can't upgrade to IIS 7, I had to do the following to implement what you want in IIS 6.

1) create certificate server 2) generate request 3) grant request 4) install certificate

It's a bit of a pain to setup the certificate authority server, but it comes with Windows Server and the walkthrough is pretty straight forward.

We discovered that the Certificate Authority wasn't being trusted because of domain settings and was causing the errors. We ended up deploying a star cert generated by a trusted CA and that cleared up the problems.