StuartRowcliffe
Posts: 3
Joined: Mon Jul 22, 2019 3:14 pm

SSL Self Signed Certificates

Mon Jan 22, 2024 3:58 pm

Hello,

I would like to install a self-signed SSL certificate with my web application installer, i have found the guide relating to generating and installing a self-signed certificate via the custom actions list.

The bit i'm struggling with is then assigning that certificate that the installer creates to the https binding on my iis website within the installer package. The options available (Use existing certificate, install pfx from the package, install pfx chosen at runtime) all seem to need a pfx file to be selected, which doesn't exist as the installer creates it at runtime.

Can you advise how to assign the certificate created via the custom action to the https binding please?

Thanks
Stuart

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: SSL Self Signed Certificates

Mon Jan 29, 2024 1:03 pm

Hello Stuart and welcome to our forums,

Sorry for the delayed reply on this.

In order to achieve this, you can use the Generate and install self signed certificate custom action. You need to change the Store location to "Local machine":
self signed CA.png
self signed CA.png (67.99KiB)Viewed 4008 times

This custom action requires privileges, therefore you need to enable the "Run as administrator" option from the Install Parameters page.

After that, you can select the "Use existing server certificate" option and add the [AI_THUMBPRINT_PROP] property on the "ThumbPrint (Hash)" field.
ssl.png
ssl.png (39.43KiB)Viewed 4008 times

Hope this helps! Let us know if you have any other questions.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

StuartRowcliffe
Posts: 3
Joined: Mon Jul 22, 2019 3:14 pm

Re: SSL Self Signed Certificates

Wed Feb 21, 2024 4:25 pm

Hi

Sorry for the delay in coming back to you. I have followed your steps and it has generated an SSL certificate and been assigned to my SSL binding on the website created, although when viewing the certificate that is generated in IIS > Server Certificates the "Issued To" is not the machine that the installation took place on, instead it is my company's name which is also set as the "Issued By".

Consequently when I try to browse the website on the machine that is installed I get an SSL certificate warning/error. If I manually create a self signed certificate in IIS the "Issued To" is my machine name, assigning this to my website manually results in the error/warning going away.

Is there something else i need to do to get the "Issued To" property set to the machine the installation takes place on?

Thanks

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: SSL Self Signed Certificates

Mon Feb 26, 2024 3:26 pm

Hello Stuart,

Thank you for the details.

I've been able to reproduce the described problem. I'm afraid this is the default implementation of our Generate and install self signed certificate custom action.

As a workaround solution, you can try creating your own certificate in a custom action. You can use New-SelfSignedCertificate in PowerShell.

Then, from the PowerShell script, save the certificate thumbprint in a property. Here are details about this: Get and set a property in Windows PowerShell Script custom action.

After that, you can use this property for the SSL Certificate.

Hope this helps!

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

StuartRowcliffe
Posts: 3
Joined: Mon Jul 22, 2019 3:14 pm

Re: SSL Self Signed Certificates

Tue Mar 05, 2024 2:57 pm

Thanks Liviu

I managed to get it working via Powershell - for anyone else encountering this issue, the following powershell script should help. Once it has generated the SSL certificate to the personal directory it needs to be exported and then imported into the trusted root certificate authority in order for the browser to trust the certificate and not throw an "unsafe" warning.

Code: Select all

$params = @{
     DnsName = $env:computername
     CertStoreLocation = 'Cert:\LocalMachine\My'
     FriendlyName = '<Whatever you want>'
}
$certificate = New-SelfSignedCertificate @params

$thumbprint = $certificate.Thumbprint
Export-Certificate -Cert cert:\localmachine\my\$thumbprint -FilePath c:\temp\<YourCertificateName>.cer -force

Import-Certificate -filePath C:\temp\<YourCertificateName>.cer -CertStoreLocation "cert:\LocalMachine\Root"

[string] $stringThumbprint = $certificate.Thumbprint

AI_SetMsiProperty SSL_THUMBPRINT $stringThumbprint
Then I set the binding in IIS > Bindings/SSL to Use existing server certificate and specified the [SSL_THUMBPRINT] property in the ThumbPrint (Hash).

Liviu
Posts: 1026
Joined: Tue Jul 13, 2021 11:29 am
Contact:  Website

Re: SSL Self Signed Certificates

Tue Mar 05, 2024 4:24 pm

Hello Stuart,

Thank you for your followup on this.

I am sure this will be of help for other users facing a similar scenario.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”