You create a self-signed SSL certificate for IIS 6 on Windows Server 2003 by downloading the IIS 6.0 Resource Kit, installing only the SelfSSL 1.0 tool, determining your site ID in IIS Manager, and running a single command-line instruction. The tool generates a 2048-bit key, signs the certificate with itself, binds it to the chosen website, and can mark it as trusted locally. This provides immediate SSL/TLS encryption without a third-party CA.

Self-signed certificates are appropriate for development, staging, or internal-facing sites where administrators control client machines and can pre-install the certificate in the trusted root store. They deliver the same encryption as CA-signed certificates but trigger browser warnings on public clients because the signer is not in the default trust list. Never use them for production customer-facing sites.

#Self-Signed Certificate Background

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy.

In typical public key infrastructure (PKI) arrangements, a particular public key certificate is valid if attested by a digital signature from a certificate authority (CA). Users check that the private key used to sign the certificate matches the public key in the CA's certificate. CA certificates are often signed by higher-ranking CAs, leading to a root CA whose certificate must be self-signed.

In a web of trust certificate scheme there is no central CA, so identity certificates can be self-signed and supplemented with signatures from other users. Trust is evaluated based on the chain of signatures and personal knowledge of the signers. X.509 PKI schemes instead require trusting the root certificate by definition. The problem of establishing initial trust exists in both models.

#Prerequisites

  • Administrative access on a running Windows Server 2003 installation with IIS 6 configured
  • The server must have a static IP address assigned and an active internet connection
  • Working knowledge of IIS Manager and command-line tools
  • Identify the target website's numeric identifier in advance (Default Web Site is usually 1)

#Installing the SelfSSL Tool

SelfSSL is distributed inside the IIS 6.0 Resource Kit. Install only the component you need to keep the footprint small.

  • Download the IIS 6.0 Resource Kit Tools from the official Microsoft Downloads website
  • Run the installer, accept the EULA, and choose Custom setup
  • Uncheck every tool except SelfSSL 1.0 and complete the installation

#Generating the Certificate with SelfSSL

Launch IIS Manager, expand Web Sites, and note the Identifier value for the site that will receive the certificate. Then open a command prompt and execute the SelfSSL command. The example below uses the original domain for illustration only.

cmd 
selfssl /N:CN=www.aspnix.com /K:2048 /V:365 /S:1 /T

/N:CN= sets the common name (replace with your FQDN). /K:2048 specifies a recommended 2048-bit key length. /V:365 sets validity to one year. /S:1 is the IIS site identifier. /T registers the certificate in the local machine's trusted root store.

Answer Y when prompted to replace the SSL settings for the site. On success you will see the confirmation message: "The self signed certificate was successfully assigned to site 1."

#Verification Steps

In IIS Manager, right-click the website, choose Properties, switch to the Directory Security tab, click Edit under Secure Communications, then View Certificate. Confirm the issuer matches the subject and the intended purposes include server authentication.

#Common Pitfalls and Troubleshooting

  • Using the wrong site ID binds the certificate to an unintended website; always double-check the identifier in IIS Manager
  • Client browsers display certificate warnings unless you manually import the .cer file into each client's Trusted Root Certification Authorities store
  • If SelfSSL is not found in the PATH, run it directly from the Resource Kit installation folder
  • The certificate is only trusted on the local server when /T is used; remote clients still require explicit trust configuration

Self-signed certificates satisfy the technical requirement for SSL but do not replace proper CA-issued certificates for any publicly accessible production service. After installation, test the binding by browsing to https://yourdomain.com and verify that the lock icon appears once trust is established. For production workloads, obtain and import a CA-signed certificate using the same IIS Directory Security interface.