0

I need to use some certificate on IIS 7.0 web server to test my https code at client side (console application). I have created self-signed certificate and it is fine. Now I want to test with formal certificate which IE could recognize, like certificates from verisign or other formal certificate issuing companies.

Any easy way to get some free and formal certificate? I only need to test for a few days.

I am developing using VSTS 2008 + C# + .Net 3.5 + IIS 7.0.

Here is what verisign returns when I create a free trial certificate, I am not sure what is wrong?

Error 950e - Invalid Common Name Error The common name in the CSR contains invalid characters like '?', '*', ':', ' '.  

If you continue to receive this error or have further questions, you may write to support@verisign.com for assistance. Please include the following information in your correspondence:


Product or service you are enrolling for
Your server software vendor (for server certificates)
Common Name of your certificate (for example, www.verisign.com)
URL where you are experiencing this error message.

thanks in advance, George

George2
  • 1,137
  • 6
  • 22
  • 41

2 Answers2

1

Why not just install the root certificate from whichever server generated the self-signed one on your client? That'll stop it complaining about untrusted CAs.

If there's a specific requirement for a proper certificate from a proper CA, I hear Godaddy are pretty cheap, although I've never used them myself. Alternatively, StartCom offer entirely free ones, although their site did cause Opera to cough up an SSL error when I tried it. Either way, I don't think you'll have much luck getting one that's valid for less than a year, though.

RainyRat
  • 3,730
  • 1
  • 24
  • 29
  • 1. for self-signed test certificate we generated from IIS 7.0 management console, what is the root CA? 2. "install the root certificate from whichever server generated the self-signed one on your client" -- how to install on client? Just double click the root CA certificate? – George2 Sep 11 '09 at 08:45
  • Does IE trust StartCom as default trusted root CA? – George2 Sep 11 '09 at 09:13
  • 1
    1 - You should be able to export it from the "Certificates" MMC snap-in - it'll be in the "Personal" cert store for the Local Computer account. 2 - Yup. Just select "Trusted Root Certification Authorities" for the destination cert store when you're importing it. – RainyRat Sep 11 '09 at 09:13
  • 1
    (Re: IE trusting StartCom) No. You'll need to manually install their root and intermediate certs in your client. – RainyRat Sep 11 '09 at 09:15
  • Thanks, RainyRat. I have another way to install the trust root. Please review whether my steps are correct. Step 1, browse from machine A (client) for URL on machine B (server) using https, and machine B is running IIS 7.0 with self-signed certificate; Step 2, on browser of machine A, there will be certificate error/warning. Then I import the self-signed certificate of machine B to trusted root CA of machine A. Step 3, browse again using https for URL from machine B, this time machine A has no certiticate error/warning message. – George2 Sep 11 '09 at 09:36
  • BTW: "You should be able to export it from the "Certificates" MMC snap-in" -- I think you mean export from server side MMC and copy the certificate cer file to client side to import as trusted root CA? – George2 Sep 11 '09 at 09:37
  • StartCom has been included in the Root Certificates Update for Internet Explorer since September 2009 (see Eddy Nigg's blog post "The 'e' of the Internet" dated August 19, 2009: http://blog.startcom.org/?p=205). They offer personal S/MIME certificates, standard SSL certs, and UC certs, also called “Subject Alternative Name” or “SAN” certs, which work well with Exchange 2007 and later. I like their pricing model... the certificates are essentially free; you pay additional fees for the level of validation desired (up to and including EV certs which turn the address bar green). – jnaab Jun 03 '10 at 18:24
1

Am I allowed to advetise a specific reseller? ;)

GeoTrust is giving free 30 day Trial certificates away...

To generate a Certificate Signing Request (CSR) you should follow these instructions.

Part of it is to enter a "Fully Quallified Name" (FQN). This has to be the DNS name by which to you want your clients to reach your server. For example if you want them to be able to reach https://secure.example.com your FQN is secure.example.com. But it has to correspond with your DNS, otherwise users get warning messages.

lepole
  • 1,733
  • 1
  • 10
  • 17
  • Thanks, by default IE trust certificate from which companies? – George2 Sep 11 '09 at 08:55
  • 1
    Not an easy to answer question. Every now an than MS pushes an update for the included "Rootcertificates" out with windows update. But it is optional for the user to install... In your IE "Internet Options" ther´s a tab with "Content". Under "Certificates" you have a button "publishers". Ther look at the tab "Trusted Root Certificates Authorities" Geotrust mainly uses Equifay as far as I know which they bought yeaers ago and seems to be included in evry operating System (also mobiles...) – lepole Sep 11 '09 at 09:01
  • Thanks. I have tried to apply from GeoTrust and also from Verisign, but I got the same error messsage when applying free certificate. I have posted my error message in my original post. Any ideas what is wrong? – George2 Sep 11 '09 at 09:09
  • 1
    how did you generate the csr? there is a howto http://www.geotrust.com/support/generate-csr/ on their website... what is the common name of the machine? – lepole Sep 11 '09 at 09:38
  • I am using Create a self-signed certificate process to generate a self-signed certificate, I am not sure which value I input in this process is treated as csr? Full qualified domain name? – George2 Sep 11 '09 at 10:00