For development environment, I can create create self-signed certificate in IIS7.5. But that certificate is SHA-1 and recently browsers are complaining about it. When I open FireBug I see following warnings:
“This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.”
So my questions are:
1) Is there a way to create self-signed certificate that is stronger than SHA-1?
2) If not, is there a way to tell browser to stop showing these warnings?
UPDATE
I ended up using @vcsjones answer, but that got me only so far. There we couple of issues I had to resolve before making it work.
1) For some reason I could not import certificate with password. So I ended up creating one it without.
2) When I imported .pfx certificate via IIS, I kept getting “A specified logon session does not exist” when I tried to apply new certificate in Edit Bindings. So I did little research and found this SO answer to be useful, specifically Mike L’s answer.
Another thing I would add is that when you are importing certificate, please remember to select .pfx certificate. Import wizard default selection is *.cer which you can import (mistake I made), but then I was not able to see certificate in IIS Server Certificates. When I looked closer it was missing little key in the icon. Now, I did research on that I was able to repair it via KB-889651 article. So make sure you import .pfx and it will work without repairing.
Another note, if you are having trust issues with this certificate import it into “Trusted Root Certificate Authority” as well.
Answer
Sure. The makecert utility that is part of the Windows SDK can do that:
makecert -len 2048 -r -a sha256 -sv private.pvk -n CN=localhost cert.cer
The -a parameter sets the hash algorithm. This spits out a PVK and a DER .cer file. You can of course also change the common name to anything you’d like, I just used localhost as an example. You can combine these into a PFX (what IIS prefers to use when importing a certificate) using pvk2pfx (also part of the SDK):
pvk2pfx -spc cert.cer -pvk private.pvk -pfx out.pfx
This just takes the two files makecert generated and combines them into a PKCS12 .pfx file.
With the resulting PFX file, you would open up IIS and import it under Server Certificates, then change your site’s bindings to use the new certificate.
Attribution
Source : Link , Question Author : CrnaStena , Answer Author : vcsjones
