Using Self-Signed certificate for Web Sites on Windows Server for Hosting Service Providers


Microsoft is bringing Windows Azure Web Sites, Virtual Machines, Service Management Portal and API to Windows Server, enabling service providers to easily deliver high-density website hosting and Infrastructure as a Service scenarios in a Windows Server-based environment.


For more information regarding this exciting product, check out the document here.


One of the coolest feature for this products is SSL. Instead of using a wild card certificate for all web sites, with the Centralized Certificate Store feature introduced by IIS 8, it allows customer using their own certificate for SSL web site which exactly match their web site DNS name. This significantly brings the SSL web sites density to a higher level.


For testing/development purpose, you may want to use self-signed certificates. This article talks about how to use self-signed certificates on Web Sites on Windows Server for Hosting Service Providers.


At first, I tried using the powershell cmdlet “new-selfsignedcertificate”, and can’t make it work. Then, I follow this article and it works perfectly.


Here are the steps.

Create Root Authority

makecert  -n "CN=MyTestCA" -r -sv TempCA.pvk MyTestCA.cer

-          It will pop up dialog box to ask you to provide the password for the private key. Please remember that.

-          2 files will be generated: MyTestCA.pvk and MyTestCA.cer


Install the Root Certificate

Install the root certificate MyTestCA.cer to the trusted Root Certification Authorities Store (Local Computer Store) on follow roles:

-          Sites RestAPI

-          Sites Frontend

-          Client machines used for testing/developement


Generate the Server Certificate

Run follow command to generate the server certificate used for your web site. For example, if your site name is, then the command is:

makecert -pe -iv MyTestCA.pvk -n "" -eku -ss my -sr localmachine -sky exchange -ic MyTestCA.cer


Export the Server Certificate

The generated by above command can’t be used since it doesn’t contains private key. We need to export the key. You can either using the certificate MMC (Local Computer Store) or using follow command (certmgr is a command contains in Windows SDK):

certmgr -c -s -r localMachine MY

Now, you get a certificate named .pfx with private key and protected by password.


Enable Self-Signed Certificate

Before using the self-signed certificate, we have to change the host configure to allow self-signed certificate.

-          Logon to the controller role using admin

-          Open powershell console and run follow command

o   Add-PsSnapin WebHostingSnapin

o   Set-hostingconfiguration –AllowSelfsignedCertificates $true


Upload the Certificate

Finally, you can upload and use your own self-signed certificate on the tenant portal.

-          Log on to the tenant portal

-          Click the site name you want to upload certificate

-          Click the “CERTIFICATES” on the top-right

-          Click “UPLOAD CERTIFICATE” in the middle-bottom and follow the instructions


Now, open IE and browse to your site using HTTPS, you should see the uploaded self-signed certificate is used.



See you next time,


Wei from APGC DSI Team


Comments (1)

  1. aenagy says:

    What is the Windows Server 2012/PowerShell 3 equivilent?

Skip to main content