One thing Mat wanted to demonstrate was the use of a certificate for encrypting traffic between a SQL Reporting Server and a back-end database. Why not install a certificate server, he said. My retort was that he was probably barking if this was just for a simple demonstration.... :-) (You're not, really Mat. Honest!) Hence, one topic along our way was how to use MakeCert.exe to demonstrate SSL encryption. Rather than me show him and get it written down, what better way than to blog it. Makes sense, right? Spookily just last week I was reminding myself about how to use the makecert.exe utility (download link at the bottom) to generate a self-signed certificate for a completely different purpose. However, definitely a subject for another day and besides, I never did succeed in that particular goal :-(
MakeCert.exe allows you to (for test/dev purposes) generate both a trusted root certificate and a certificate signed by that trusted root certificate for encryption purposes (also for signature purposes, but that wasn't relevant in this context). In this way, you can create a test/dev web-site, for example, with SSL encryption enabled. Follow these simple steps if this is something you need to do. I'll follow up later with an example of how you would use these generated certificates to SSL-enable a very simple web-site under IIS 6.
From the command prompt, in the directory where you downloaded makecert.exe, enter all the green bits below on a single line (ie exclude my comments in the right-most column).
You will now have a "Test And Dev Root Authority.cer" certificate on disk and a new certificate will also be installed in the LocalMachine Certificate store. If you run up a Certificates MMC at this point, you will be able to see this. However, by default, the Certificates snap-in isn't available as a short cut. Hence, use the following steps:
If you expand the console out to Personal/Certificates, you will see your newly created certificate as in the screen shot below.
Now that you have a root certificate, you need to use this certificate (at least the .cer file which is still present on your hard-disk) to sign another certificate you are going to use for encryption purposes. From the command prompt, enter the following
Go back to the certificates snap-in, right-click the "Test and Dev Root Authority" certificate and copy it to the "Trusted Root Certification Authorities" node. Once done, if you expand this node, and then select certificates your newly created root cert should be present.
If you whizz back to the personal certificates in this snap-in, you also note that your new certificate suitable for encryption purposes is installed, as highlighted in the screen-shot below.
If you double-click the certificate, verify that you have a private key that corresponds to this certificate, and that the intended purpose is to ensure the identity of a remote computer.
At this point, you can safely delete the "Test And Dev Root Authority" certificate from the personal certificate store in the MMC snap-in. Remember also that you can save the two .cer files on disk safely away to save you remembering all the above parameters for makecert.exe. You can simply use the "All Tasks/Import" wizard in the MMC snap-in instead (assuming that the DNS name of the target machine matches).
Download makecert.exe from microsoft.com here
Oh the fun of after-work conversations.... Hope this is useful for you