In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:
cd /etc/pki/tls/private/SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csrType in some answers here when prompted, probably for www.example.com as the server and so on.
Okay, but now I need to server to sign that request, so:openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key
So that works.
Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.
- Click the green icon for the SSL status, it brings up certificate information as an option
- On the Details tab, click the Copy to File option
- On the export wizard, hit Next to get to the real options then DER encoded is fine
- Save the file whatever.crt somewhere you can get to it from the AD GPO management tools
- Open the GPO management and create or modify a policy and go to Edit
- Dig down through Computer Config - Policy - Windows - Security Settings - Public Key Policies
- Import your key into Trusted Root Certification Authorities
After you get policy updated, people will be able to access your SSL site (within the domain) without any errors.
C:\>certreq -submit -attrib "CertificateTemplate:WebServer" request.csr
Also see: http://blog.netnerds.net/2009/10/securing-apache-using-mod_ssl-openssl-and-microsoft-certificate-authority-ca/