How to trust a self signed certificate in IIS Windows Server 2019

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

i'm in internet information services on a windows 2019 standard server and what i'm going to do is i'm going to assign a self-signed certificate into a default website and then i'm going to go into group policy and trust that certificate so that way we don't get a certificate warning or error i'm in the server at the top left so what i'm going to do is click on server certificates double click and we're going to click on create a self self-signed certificate now the name of the server is dc1 and the active directory domain is techpub.us so i'll just call it that and i'm going to leave the certificate set to personal you can choose personal or web hosting it doesn't really matter which one you choose this has nothing to do with iis it has to do with the store where the certificate is held so i'll click ok and now i've got my certificate now i've got two different certificates that are set to called dc1 this first one is a domain certificate the second one is going to be the website hosting certificate that we're going to be using and you can tell because the issued by is the dc1-ca certificate authority so we can ignore that one now we're going to go into where it says default website and we're going to choose bindings now what this does is it links that certificate to the website itself so we already have this http port 80 which is bound but that's not a secure link so for instance if i go into my web browser and i type in http colon slash dc1 which is the name of the server then it comes up with the default page which is great but it's showing me that there's no ssl certificate here so it's not a secure connection so what i want to do is i want to have a secure connection so i can do that by clicking add and change my type from http to https now under ip address we can just leave that the way it is and the port changed from 80 to 443 so that's good also i'm going to put in the name of dc1.techpub.us the other boxes that you see you can just leave unchecked i'm going to click on the ssl certificate and i've got two different certificates i think it's this one here that's lower case because that's the one i did earlier but just to make sure i'll click on view and sure enough it's today's date so i know that we're okay i'm going to click ok here and click close and just to confirm that it's working i'm going to go back in and type https for the ssl certificate dc1.techpub.us enter and we see now we're getting a warning so click advanced and click accept the risk and now it's come up so what this has done is it's just basically told us that yes the website's going to work but your certificate is not being trusted so if i click on this little drop down here it says connection not secure i click more information and it says basically this is a self-signed certificate it's not a public certificate now we're going to do a public certificate in an upcoming video in this playlist so take a look for that if you need to get a public certificate but the self science certificate is nice because it's free so we're going to go to on the domain controller we're going to go to server manager and then tools and group policy management so we need to basically create a group policy that will trust this certificate so we need to find and export the certificate first so i'm going to go down to the start menu and choose run and type in mmc which stands for microsoft management console click ok and now the mmc pops up i need to add a snap in for certificates so find certificates in the list click add and choose the user account click finish and okay now we're going to expand the certificates and go to where it says trusted root certification authorities and certificates and we should see a dc1.techpub.us with today's date on it which we do so this is the correct certificate i need to export that so i'm going to right click on that choose all tasks and export a new wizard pops up i can choose either to export the private key or not there's no need to export the private key for this case so i'll just choose not to it's going to create a dot cer certificate file which is fine now i got to give it a file name i'm going to put this onto the desktop so it's easy to find dc1.techpub.us just so i know what it is and next and finish now my certificate should be on the desktop and there's my certificate great now i can choose to trust the certificate in group policy next we need to create a shared folder location for our certificate so i'm going to go into the c drive and i'm going to create a new folder and i'm going to call it shared cert and i'm going to move that certificate into that location now i need to share that folder by right clicking and going to properties and going into the sharing tab we'll click advanced sharing share this folder permissions and we're going to add domain users and we're going to leave it at read which is fine we're going to remove everyone because we only want domain users to have this we don't want people outside of the domain who can log in anonymously to be able to have access to this so we're going to want to do the same thing on the security tab by clicking and choosing domain users and the default rights are fine they don't need to have the ability to delete the file or move the file just have read only just to confirm it's working we'll do a backslash backslash dc1 and there's our shared search and the certificates inside so we're good there now we're going to go back into server manager go to tools and go to group policy management and in group policy management going to create a brand new group policy object by right clicking on the domain and choose create a gpo in this domain and link it here now the reason we're putting it at the root is so it affects all computers in the domain it's only going to affect computers in the domain so if you're going to be doing this on mobile devices that are not members of the domain you'll want to do a public certificate instead which we'll do in that other video i'm going to call this trust self assigned and click ok but you can call it anything you want and now i'm going to right click and choose edit and inside edit i'm going to expand policies and i'm going to expand windows settings security settings then public key policies and then trusted root certification authorities now i'm going to right click anywhere on the right hand side choose import click next and we need to use that path to the file so i'm gonna put in backslash backslash dc1 you can't use c colon backslash because the users can't get to that you have to use the path to the file which is called a unc path then we'll see the shared cert double click on that and there's our dc1 certificate double click on that click next leave it in the trusted root certification authorities click next and finish now you need to restart a windows client or any other computer that's going to be connecting to this website in order to have the group policy get affected to the computer if it's a user policy then you just have to type in gp update or log off and log back in but a computer policy requires that we restart the computer so it can receive that certificate i'm logging into the windows 10 client and you'll notice it's a virtual server virtual machine and you can do this either on a virtual machine or in a physical machine it does not matter and that can be both the client as well as the server they'll be affected in the same way we're logged all the way in i'm going to open up web browser i'm going to type in https colon slash dc1.techpub.us hit enter and look at that no more certificate warnings now if we go in and use firefox it's going to look a little different so once again https colon slash dc1.techpub.us all right so the good news is we did not get the warning page that required us to click to continue however we do get a little bit of a warning triangle here at the top it says connection is not secure and that's because firefox does things a little bit differently than chrome or internet explorer or edge and some other web browsers and that is because it under the owner it says the website does not supply ownership information so it's not saying that the uh website is going to cause any kind of a security issue except for the fact that it doesn't supply the ownership information so it's sort of a mild warning it's not the same as what it gave us before which was a big warning page that we had to click ok we agree to the risks to move on so that's all right and you can use chrome if you don't want to see that but in other web browsers as well but firefox does things a little differently so that is how we set up a certificate in iis and we bind it and then we trust it using a group policy

Info

Channel: Robert McMillen

Views: 10,105

Rating: undefined out of 5

Keywords: self signed certificate, web server, self signed, create self signed certificate, root authority, trust cert, self signed certificate explained, how to, server 2019, server 2016, IIS, iis, iis manager, iis server, iis server tutorial for beginners, iis service, iis tutorial, iis web server, internet information services, internet information services microsoft, learn iis, microsoft iis, web server iis, what is iis, windows server, windows server 2016 iis

Id: GrOReB66UbM

Channel Id: undefined

Length: 10min 56sec (656 seconds)

Published: Mon Jul 20 2020