Create Self-Signed Certificate for IP Address (customized domain) on windows

Mimina

9/10/23, 8:39 PM

I want to create a Self-Signed Certificate for an IP Address (not domain) using windows OS.

Then I want to bind this certificate to my API, which is hosted on IIS on our own server. Finally, I want to share a copy of my self-signed certificate with my clients, who will consume my API, so that they can establish a trusted secure connection with my API

Can somebody please advise how to do so?

0 + 0

windows

iis

ssl-certificate

self-signed-certificate

Lex Li

9/10/23, 8:43 PM

Either you learn how to use PowerShell or use a tool like Jexus Manager, https://docs.jexusmanager.com/tutorials/self-signed.html#background But keep in mind using IP addresses as common names is bad for maintenance (what if IP addresses change?), and asking your clients to use self-signed certificates is also bad for security (why they should trust something insecure?).

Mimina

9/10/23, 11:18 PM

why is it bad to ask my clients to trust my self-signed certificate? what risk does it put them in?

Lex Li

9/11/23, 12:19 AM

A commercial certificate from a real-world certificate authority is mandatory in many business setup, https://en.wikipedia.org/wiki/Certificate_authority A self-signed certificate from you lacks of all those features and protection.

Mimina

9/11/23, 7:12 AM

The two main features of SSL certificates that I know of are: 1) secure the communication between two parties so that a third party doesn't have access to the information being exchanged, and 2) validate the identity of the server to their clients, so that no one can pretend to be the server and get hold of the data which the client intended to share with the server. I understand that asking my clients to install my self-signed certificate is unconventional, and that it is definitely better to use a certificated issued by a Trusted Certificate Authority. However, I don't know why?

Mimina

9/11/23, 7:13 AM

I find that it lets me achieve the two conditions (mentioned above), with only the extra hassle of asking my clients to manually install my self-signed certificate to their list of trusted CA on their systems. Can you please advise what are the risks exactly that I'm putting on my clients by asking them to install my self-signed certificate (issued to my domain), which should only allow them to establish a secure connection with my server?

Martin

9/11/23, 8:19 AM

You should look at it like "hey, look, a third party trusted by you validated the identity of my server, you are really talking to me, not to an attacker". But if you create a CA yourself to verify your identity, your customer looses this assurance. An attacker can do the same steps: Create an CA, sign a server certificate, and tell your customer to trust his CA - and the customer is not able to differentiate between your "valid" CA or the attackers CA...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Create Self-Signed Certificate for IP Address (customized domain) on windows

TH: สร้างใบรับรองที่ลงนามด้วยตนเองสำหรับที่อยู่ IP (โดเมนที่กำหนดเอง) บน windows

RO: Creați un certificat autosemnat pentru adresa IP (domeniu personalizat) pe Windows

RU: Создайте самозаверяющий сертификат для IP-адреса (настраиваемый домен) в Windows

VI: Tạo chứng chỉ tự ký cho địa chỉ IP (miền tùy chỉnh) trên windows

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.