Windows2016 installs the certificate manager, IIS configures the self-signed certificate, exports the certificate, converts the certificate .pfx to .crt and .key

I wrote an article " Security ━━ windows2008 self-built certificate, IIS configuration https server and browser error handling " before, and the configuration methods are similar.
Windows Server 2016 and later versions of IIS have their own built-in certificate manager. It is no longer necessary to install and configure Active Directory Certificate Services, and server certificates can be managed directly through IIS Manager. Using IIS Manager can easily configure and install SSL certificates for IIS sites, and can also easily obtain certificates from various certification authorities (CA) and bind them to IIS sites.

1. IIS preparation

IIS and the certificate can be installed at the same time, this article is separated for easy understanding and distinction.

For the installation of IIS, refer to the installation of IIS components in this article " PHP Development Log ━━ IIS7 Installation How PHP8.0 and Multiple Versions Exist on One Server at the Same Time ".

This article still installs the certificate manager according to the old method. If you don’t want to manage anything, just go to " 3. IIS configuration certificate ".

2. Certificate preparation

1. Open Server Manager, click [Add Roles and Features]

2. Click [Next] by default for the following steps

3. The server role needs to check [Active Directory Certificate Services] and click the [Add Feature] that pops up automatically, and then continue to click [Next]

4. Decide whether to check [Certificate Authority Web Registration] according to your needs

We are here only for iis to configure the https server, no online registration is required, so there is no need to tick .

If ticked, then click the item will pop up 【Add function】

5. Continue the following steps and click [Next] by default.

6. Click [Install] and wait for the installation to complete.

If [Certificate Authority Web Registration] is enabled, more content as shown in the figure will be installed

7. In the server manager, click the prompt in the upper right corner, perform [Configure Active Directory Certificate Services on the target server ], and then click [Next ].

8. The role service configuration needs to check the first two options [Certificate Authority] and [Certificate Authority **Web Registration] at the same time, and then click [Next**] by default in the following steps.

9. It is recommended to set the validity period of the certificate to 50 years, and continue to [Next] until the configuration is complete.

Three, IIS configuration certificate

1. Open [Server Certificate] in IIS

2. Select【Create self-signed certificate】

If Certificate Manager is already installed, a 50-year certificate will already exist in the interface

3. Choose a good name

Certificate storage can be understood as classification.

4. Click OK to generate the ssl certificate

5. Open the [Binding] of the website

6. Add ssl certificate

Select【Add】

7. Select httpsthe type, ssl certificate, and click OK

8. https is generated

4. Browser Opening Test

1. Open https://127.0.0.1 in the browser and click to continue browsing the website

2. If it can be opened, it means success

Currently, this type of certificate can only be opened in edge, ie, and firefox by default, and Google Chrome will prompt that the website address is wrong.

5. Export the certificate

So how can these signing certificates be exported?

1. Open the Certificate Manager

运行 => certmgr.msc

2. Locate the certificate

It may be in 个人the directory, and you can find it yourself when the time comes.

3. Export the certificate

右键菜单 => 所有任务 => 导出

Next step

Yes, export private key

selected .pfx, all certificates

enter password

Specify folder and file name

click finish

success

The target location sees .pfxthe file

6. Convert to openssl certificate

1. Download and install openssl

How to install openssl will not be written here, please refer to: " Environment - Installing OpenSSL under Windows "

Download link: https://slproweb.com/products/Win32OpenSSL.html

It can also be downloaded at csdn v3.1.0版: https://download.csdn.net/download/snans/87595254

2. Open the dialog box to enter the command

.pfxCopy the file to the specified directory and execute two openssl commands respectively, and you will be asked to enter the password registered when you just exported.
For convenience, I copied the file directly to the folder .pfxunder the openssl installation directory , because the real body is here~~\binopenssl.exe

openssl pkcs12 -in 20230320ssl.pfx -out 20230320ssl.crt -nokeys
openssl pkcs12 -in 20230320ssl.pfx -out 20230320ssl.key -nocerts -nodes

3. File generation

Call it a day~~For the

reverse operation, please refer to: How to convert the crt certificate to pfx format (it is very good)

Other references:
Create an OpenSSL self-signed certificate under Windows and convert existing Windows certificate pfx files into key and crt files
Windows Server 2016 operating system to build a self-signed CA certificate server (Microsoft Active Directory Certificate Services)