Creating a self-signed server certificate
Introduction
To setup a secure server using TLS (Transport Layer Security) you will need a server certificate. The server certificate guarantees authenticity, i.e.: The server certificate guarantees that you are who you say you are.
Ideally the server certificate is signed by a trusted Certificate Authority (CA). Normally a trusted authority, such as Let’s Encrypt or Comodo will have some (automated) process in place to verify your identity before they release a certificate to you.
This is why it’s often useful to be able to generate a ‘self-signed’ certificate as well. A self-signed certificate is very useful when setting up servers for testing purposes or for internal use. However, keep in mind that a lot of client software will not automatically trust a server if its certificate is self-signed.
What is a certificate
The certificate itself is just a file. In our case a ‘.pfx‘ file. The file would generally store these things:
- Your servers public key, private key and hostname
- A signature of the certificate authority (CA)
- Some other flags that identify the purpose of the certificate etc.
Alternatively you can think of it as a ‘.cert‘ file. A ‘.cert’ file contains the same information as a .pfx file except for the server private key.
The file will generally be stored in your PC’s certificate store. Which is central on your PC and shared with all applications that may need to use or verify certificates. Windows has it’s own central certificate store. 3rd party libraries, like OpenSSL, don’t necessarily connect to the Windows certificate store but may use their own store.
In this document we’re using the Windows certificate store. The Auron Software products exclusively use the Windows Certificate store as well.
Step 1. Start PowerShell as administrator
Start the PowerShell prompt by pressing ‘Windows-Key‘ + ‘X‘ and selecting the option ‘Windows PowerShell (Admin)‘.
Step 2. Generate the self-signed certificate
Create a new self-signed certificate by running the following command in PowerShell:
New-SelfSignedCertificate -DnsName "smppserver.smscompany.com" -CertStoreLocation "cert:\LocalMachine\My"
The -DnsName argument should be the complete name of your server. This should be the name that an external client would use to connect to your server.
You now have a certificate ready for use in the Local Machine certificate store.
To use it with the SMS Server or the SMS Component you can specify that the certificate store should be: LocalMachine. You will also need to run the SMS Server service or your application as Admintrator or LocalSystem to be able to access the LocalMachine store to start the secure SMPP Server.
Step 3. (Optional) Export certificate to file
If you are testing it may be practical to have the certificate available for the local user. That way you don’t have to start your SMS Component application as an Administrator just to test the secure SMPP Server function.
For this please start the Microsoft Management Console. In the management console add the ‘Certificates’ snap-in for the local computer and again for the local user. Use the shortcut ‘Crtl‘ + ‘M‘ to open the ‘Add or remove Snap-ins‘ dialog.
With both snap-ins selected click on OK.
Now you can use the management console to navigate to the ‘Personal’ certificates on Local Computer. Right click on the certificate name and select ‘All Tasks‘ -> ‘Export…‘ to start the export wizard.
In the export wizard you can use all default settings to generate a .cert file (which does not contain your private key. If you select ‘Export the private key’ you will generate a .pfx and you will be required to provide a password as well. This password is required to import the .pfx file in the next step.
Step 4. Import certificate into local user store.
Import the newly exported .pfx or .cert by simply moving to the ‘Personal‘ certificates on the ‘Certificates – Current User‘ snap-in. When there you can right click on some of the white space and select ‘All tasks‘ -> ‘Import‘.
With your certificates available in the local use store you can always use them to start a secure SMPP Server when logged in as that user.