Creating Long Term SSL Certificates for Your Lab and Other Environments

I’ve found over the years that when a certificate you’re using in a lab or other kind of test environment expires, all sorts of havoc can be unleashed.  I use Active Directory Certificate Services in my labs because it’s a quick and easy way to get the SSL certificates I need generated.  One of the really nice things about it is that you get the integrated SSL certificate creation process in the IIS Manager, where you can request a Domain Issued Certificate.  The biggest problem with that approach is that is hard-coded to use a specific template for issuing that certificate, and that template has a hard-coded maximum lifetime of 2 years.  I decided I wanted to create SSL certificates that are good for 10 years in my lab so I don’t have to go through the pain of having them expire again (at least not without a WHOLE LOT of advance warning).  The process is actually rather complicated so I thought I’d capture it here in case anyone wants to do the same.

First, what I’m NOT going to do is explain how to install Certificate Services.  I’m going to assume that you have done this (it’s just a wizard – breathe deeply and take the default values).  Once that’s installed and running, then the first thing you need to do is to change the maximum lifetime you can issue.  Out of the box Certificate Services will only issue certs with a lifetime of 2 years, even if you put in a longer value in the certificate template.  So, open a command prompt on your Certificate Services computer and type these commands:

certutil -getreg CA\ValidityPeriodUnits

This will tell you how many years you can use with your certificates.  If you really want to verify that it is years, you can run this:

certutil -getreg CA\ValidityPeriod

Now, to change it so that you can issue certs for 10 years, run this command:

certutil -setreg CA\ValidityPeriodUnits 10

After you do that restart the Active Directory Certificate Services service.  Now you’re ready for the next step, which is to create a new template that you can use to issue SSL certs that are good for 10 years.  Start by opening up a new MMC window (Start…Run…mmc.exe) and then add 3 snap-ins:  Certification Authority (for the local computer), Certificates (for the current user), and Certificates (for the local machine).  Once those are added, expand the Certification Authority, right-click on the Certificate Templates node and select Manage:

That opens up the Certificate Templates console.  Now, to simplify things you can just copy the existing Web SSL template.  Scroll down the list of certificate templates until you find the named Web Server, right-click on it and select Duplicate Template.   A dialog will pop up where you can set all the attributes that you want certificates based on this template to have.  Here are the minimum changes you should make:

  • General tab:  change the display name to something useful.  In my case I called my SharePoint Hybrid Long Term SSL.  Change the Validity Period to 10 years.
  • Request Handling tab:  check the option to Allow private key to be exported.

You can close the Certificate Templates console now.  You should be back on the original MMC window you opened, so click on Certificate Templates again and this time select New…Certificate Template to Issue:

That will bring up a dialog that lists the certificate templates, and you can select the certificate template you just created.  Most of the hard work is done at this point.

As I mentioned earlier, you won’t be able to get a new SSL certificate using this template from within the IIS Manager snap-in.  In all honesty, the easiest way I’ve found to do this is just to use the old Certificate Services ASP pages (yes, that’s “ASP”, not “ASP.NET”) on the Certificate Services computer.  You need to be using SSL with the site in order to have it issue you certificates though, so the first thing you’re going to need to do after all is open up the IIS Manager snap-in.  Click on the Default Web Site, then click on the Bindings for it.  Add a new binding for HTTPS; in the certificate drop down you should see a certificate with the local computer name; select that and click OK to save your changes, then you can close the IIS Manager.

The ASP pages for Certificate services are in a virtual directory named CertSrv, so you can open your browser and navigate to https://nameOfYourServer/CertSrv.  Here’s how to work your way through the wizard to get the certificate you need:

  1. Click Request a Certificate
  2. Click advanced certificate request
  3. Click Create and submit a request to this CA; if you get a confirmation dialog click Yes
  4. Click the Certificate Template drop down.  You should see the custom template you created above – select it.
  5. Filling out the fields here is super important – the most important is “Name”.  This is the where you put the common name of your certificate, i.e. *,…whatever name your web site is going to use.  I also populate the Company, City, State and Country fields.  You probably will also want to put a value in the Friendly Name field.  Once you’ve filled out all the fields click the Submit button.  It should look something like this:

If it pops up a confirmation dialog then click the Yes button.  It creates the certificate and will render a page with a link to Install this certificate; click that link to complete the process. 

The certificate is placed in the Personal container in the certificate store for the current user.  If you had that node open before you will need to refresh the container to see the new certificate.  At this point your certificate is good to go, but you will need to put it into the Personal container of whatever server(s) you want to use for SSL.  That process should be fairly straightforward – just double click the certificate to open it, click on the Details tab then click the Copy to File… button.  Make sure you check the box to export the private key, and then you can take the PFX it creates and import that on the web servers where you intend to use it.

Comments (1)

  1. alexandrad9x says:


Skip to main content