This article describes the process of configuring IIS on a developer's machine to support SSL connections. To enable SSL, IIS requires a valid X.509 Certificate be installed on the host computer. In a production environment, each IIS would request its own certificate (e.g. for yoda.test.local) from a trusted CA. For development purposes (where the majority of web site access is via the http://localhost moniker) it is simpler to use a single cert issued to localhost, rather than issue individual certificates to MACAAA123, MACAAA124 etc etc.
To complete this article you will need:
- The Private Key Backup (.PFX) for the localhost cert
- The password for the PFX File - PFX contents are encrypted under a password
- The Issuing CA's cert (always needed when cert is not issued by a Trusted CA)
Note: You won't need the actual Certificate (.CER) issued to localhost.
ALL REQUIRED FILES ARE ATTACHED TO THIS ARTICLE (Links are at the bottom)
Step 1 - Import the PFX to the local computer's Personal Certificate Store
First we need to configure a Certificates MMC snap-in to allow us to manage certificate objects:
Start > Run > MMC
File > Add/Remove Snap-In
Click Add
Locate the Certificates snap-in and click Add
Select Computer Account > click Next
Click Local Computer and click Finish, click OK, click OK
Now we need to restore the private key backup:
In the Certificates MMC snap-in...
Expand Certificates (Local Computer) > Personal
Right-click on Certificates and select All Tasks > Import, click Next
Click Browse and locate & open the Private Key Backup (.PFX) file - NOTE: Don't select the Certificate. You may need to change the Files of Type drop-down to select Personal Information Exchange
Click Next
Type the password for the .PFX file and tick to select the "Mark this key as exportable checkbox". Click Next
Ensure the "Place all certificates in the following store" radio button is selected and the Certificate Store is set to Personal. Click Next
Click Finish
Close the MMC (don't save the snap-in)
Step 2 - Assign the Certificate to the IIS Web Site
Administrative Tools > Internet Information Services
Expand Computer > Web Sites
Right-click the target web site (e.g. Default Web Site) and select Properties
Select the Directory Security tab
Click Server Certificate, click Next
Select Assign an existing certificate, click Next
Select the certificate Issued To localhost and click Next
NOTE: If the list of available certificates is empty, return to Step 1. The list is populated from the Computer's Personal certificate store
Review the summary and click Next
Click Finish. Click OK
Step 3 - Add the issuing CA as a trusted root
The localhost cert was issued by the SafeSign Support CA which is not trusted by Windows, and so not by IE/Firefox/Chrome either.
You will get a warning when you browse to a site using the localhost certificate, until you trust the issuing CA.
Using IE (7)
IE > Tools > Internet Options > Content tab
Click Certificates
Select the Trusted Root Certification Authorities tab
Click Import
Locate and open the SafeSign Support CA Cert (BLETCHLEY).cer
Click OK
Ensure the Place all certificates in the following store radio button is selected and the Certificate Store is set to Trusted Root Certification Authorities and click Next
Click Finish
Click Yes on the massive Security Warning
Using Firefox (3)
Firefox > Tools > Options > Advanced tab
Click View Certificates
Select the Authorities tab and click Import
Locate and open the SafeSign Support CA Cert (BLETCHLEY).cer file
Ensure ONLY the Trust this CA to identify web sites checkbox is selected and click OK
Click OK, OK, back to Firefox
Step 4 - Test SSL Connection
Point your browser at a local web page using an address starting with HTTP://
While viewing a working page, change the URL to start with HTTPS://