In the IIS 6 Resource Kit, there’s was a tool named SelfSSL.exe. This tool has been replaced with SSLDiag.exe. With this tool you can create a certificate without the need of a Certificate Server or a third-party certificate. You can download the SSLDiag here.

After you installed the SSLDiag.msi go to a command prompt and to the directory where you installed SSLDiag.exe. The directory defaults to “C:\Program Files\IIS Resources\SSLDiag“

Before running the command to add a certificate to IIS, you need to know the following:

• Website ID (Identifier)
• Common name
• Valid days

Website ID
You can select for which website you want to create a certificate. For this, you need to know the ID (Identifier) of the site. You can get this by opening IIS, select Web Sites and on the right screen this will show all websites, descriptions, host headers, state, IP-addresses and Identifiers. The default website is always ID 1.

Common name
A certificate is always validated against the hostname. If the two are the same and you add the certificate to your own trust root, you will not get a pop-up saying the certificate is not valid. That’s the reason I use the hostname as common name

Valid days
Your certificate is valid for a period of time. You can specify the number of days when the certificate should be valid.

When you have the settings you can run the following command

For example:

• website ID = 123456789
• common name = webmail.domain.com
• valid = 365 days

Now you have enough information, enter the following in the command prompt : 

ssldiag.exe /selfssl /s:123456789 /n:”CN=webmail.domain.com” /v:365

After running the command the certificate is placed on the specified website. When this is done, you can check your site by opening a webbrowser and going to the site (or through IIS Manager).

For the complete commands of SSLDiag.exe type:

SSLDiag.exe /?