I have 2 web servers, A and B. A is a web site used by users and B is a bunch of web services used by server A. So I like to enable https for server B. Since no browsers are supposed to go here I thought it would be sufficient to use a self signed certificate. I successfully created a self signed certificate on server B(through IIS) and exported it, copied to server A, added it to the trusted certificates. But still I get an browser warning when opening a https connection to server B. I suspect the problem is that the certificate is bound to machine-name and not to myservices.mydomain.com ?
So 2 questions
-
Is it "ok" to use a self signed certificate for a server only serving my website?
-
If so, how can I generate this?
Best Answer
1) Is it "ok" to use a self signed certificate for a server only serving my website?
If it's a public-facing website, all users will get a warning, because they don't trust you, you are not in the store of trusted certificates in any browser or system. If you're alone in accessing this website, or alone in accessing it through HTTPS (and all others by HTTP), you can manually trust it by adding the cert to your local store.
2) If so, how can I generate this?
I don't get what you want to generate here, as you already have your cert. You have 2 possibilities to trust your own self-signed cert.
First, you can add per-application exceptions. When getting the warning, you should be able to mark the cert as valid and trusted from now on. Make sure you check the fingerprints, otherwise you may have trusted an attacker's cert.
Second, you can let it trust by your system by adding it to the systems cert store. Here, it's necessary that the Common Name (CN) or any of the Subject Alternative Names (SAN) exactly matches the domain name you use to access the webpage. Don't mix hostnames, domain names and IPs here.