Self-Signing Certificate to Enable HTTPS on IIS

For internal-use IIS-based sites, you can enable HTTPS by self-signing a certificate and distributing it through the Group Policy so you can avoid seeing warning messages like this.

Self-Signing a Certificate

Simply open an elevated PowerShell window and run the following command to self-sign a 5-year certificate to the certificate store on the local machine.

New-SelfSignedCertificate -DnsName "servername" -CertStoreLocation cert:\LocalMachine\My -FriendlyName "servername" -NotAfter (Get-Date).AddYears(5)

Technically, you can do so on any given computer but it’s easier to run it right on the IIS server so you don’t have to move the certificate around.

Binding the certificate to IIS

Right-click the site on IIS and choose Edit Binding. Add the HTTPS (443) binding and pick the certificate you just self-signed from the list.

Exporting the certificate

Open the Certificate detail from Server Certificates on the IIS Manager, go to the Details tab, and choose Copy to File… button.

Follow the wizard, choose Yes, export the private key, and Include all certificates in the certification path option to save it with a password.

Distributing the certificate via the Group Policy

Open the Group Policy Management console, and head over to the following location.

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies

Right-click the Trusted Root Certification Authorities and choose Import.

Then on the File to Import window, pick the PFX file you exported from the last step. Make sure you pick the *.pfx type from the dropdown list.

Forcing HTTPS

Once the certificate gets distributed to the workstations, redirect all HTTP traffic to HTTPS to enforce secure access.

Leave a Reply

Your email address will not be published. Required fields are marked *