1

I have 2 web servers, A and B. A is a web site used by users and B is a bunch of web services used by server A. So I like to enable https for server B. Since no browsers are supposed to go here I thought it would be sufficient to use a self signed certificate. I successfully created a self signed certificate on server B(through IIS) and exported it, copied to server A, added it to the trusted certificates. But still I get an browser warning when opening a https connection to server B. I suspect the problem is that the certificate is bound to machine-name and not to myservices.mydomain.com ?

So 2 questions

  1. Is it "ok" to use a self signed certificate for a server only serving my website?

  2. If so, how can I generate this?

Jepzen
  • 111
  • 4
  • 1
    How are you accessing server B? Through any back-end language or from the user's browser via JavaScript? – Deer Hunter Jan 20 '15 at 10:21
  • It is a bunch of web services. SVC and Web Api. I use the browser to check they work. But mostly through C# to actually serve server A – Jepzen Jan 20 '15 at 10:24
  • The browser is right to warn you. Not that familiar with WCF to tell you the right option to use programmatically. – Deer Hunter Jan 20 '15 at 10:27
  • But if I copy the certificate from server B to server A should it not then trust it? This worked well when i had it on my test server. But this was also access though its local name and not though services.mydomain.com – Jepzen Jan 20 '15 at 10:34
  • You get the warning for a reason. By installing a self-signed cert, you open your link up for a man-in-the-middle attack. Yet, not all is lost. Starting in mid-2015, you'll be able to have a certificate issued to you for free and in automatic mode. See the [Let's Encrypt](https://letsencrypt.org) initiative sponsored by Mozilla, Akamai and EFF. – Deer Hunter Jan 20 '15 at 22:39

1 Answers1

1

1) Is it "ok" to use a self signed certificate for a server only serving my website?

If it's a public-facing website, all users will get a warning, because they don't trust you, you are not in the store of trusted certificates in any browser or system. If you're alone in accessing this website, or alone in accessing it through HTTPS (and all others by HTTP), you can manually trust it by adding the cert to your local store.

2) If so, how can I generate this?

I don't get what you want to generate here, as you already have your cert. You have 2 possibilities to trust your own self-signed cert.

First, you can add per-application exceptions. When getting the warning, you should be able to mark the cert as valid and trusted from now on. Make sure you check the fingerprints, otherwise you may have trusted an attacker's cert.

Second, you can let it trust by your system by adding it to the systems cert store. Here, it's necessary that the Common Name (CN) or any of the Subject Alternative Names (SAN) exactly matches the domain name you use to access the webpage. Don't mix hostnames, domain names and IPs here.

sebix
  • 4,313
  • 2
  • 29
  • 47
  • My problem is to generate a certificate with a matching Common Name. When using IIS to generate the certificate it gets the local machine name. But thanks for clarifying. I will keep searching – Jepzen Jan 21 '15 at 07:32
  • OpenSSL let's you generate certs with any Common Name. If you have a specific question for generating certs with a certain software, please post this question with a clear problem statement. – sebix Jan 21 '15 at 07:56