Page 1 of 1

Obtaining a free self signed certificate https for my server

Posted: Mon Jul 13, 2026 8:20 am
by admin
Identify Your System Architecture from powershell run:

Code: Select all

(Get-CimInstance Win32_OperatingSystem).OSArchitecture
  • If it says 64-bit, you need the standard Intel/AMD 64-bit version.
  • If it says ARM 64-bit, you need the ARM version
Download the standalone Windows version of mkcert from github (https://github.com/filosottile/mkcert/releases),
file named "mkcert-v1.4.4-windows-amd64.exe" or similar.
Rename that long file name to just mkcert.exe
Open PowerShell as an Administrator and navigate to your Downloads folder:

Code: Select all

cd ~\Downloads
Install the Local Certificate Authority:

Code: Select all

.\mkcert.exe -install
You should get:
Created a new local CA 💥
The local CA is now installed in the system trust store!


Generate your certificates:

Code: Select all

.\mkcert.exe localhost 127.0.0.1 192.168.1.50 abc.com *.abc.com
(Be sure to replace 192.168.1.50 with your server's actual local network IP address and abc.com with your domain, or remove it if you don't have).
This will instantly output your .pem certificate and key files right into your Downloads folder.
(it will likely name them localhost+4.pem and localhost+4-key.pem depending on how many names are attached).
  • localhost+4.pem (This is your SSL Certificate)
  • localhost+4-key.pem (This is your Private Key)
Binding your new mkcert certificate files to your website inside the IIS Manager:
Because IIS doesn't natively read raw .pem files directly in its user interface, we first need to quickly convert the .pem files into a .pfx (PKCS#12) file that Windows understands, and then import it.

Step 1: Convert the .pem files to .pfx
Open your Administrator PowerShell window in C:\downloads and run the exact same command you ran before, but append -pkcs12 to the end of it:

Code: Select all

.\mkcert.exe -pkcs12 localhost 127.0.0.1 192.168.1.50 abc.com *.abc.com
(Be sure to replace 192.168.1.50 with your server's actual local network IP address and abc.com with your domain, or remove it if you don't have).

This will instantly output a file named something like abc.com+4.pfx inside your C:\downloads.
(Note: The default password for this .pfx file created by mkcert is simply changeit).

Step 2: Import the Certificate into IIS:
Open Internet Information Services (IIS) Manager.
In the left-hand Connections pane, click on your Server Name (the top-level item).
In the center pane, look under the IIS section and double-click on Server Certificates.
In the right-hand Actions pane, click Import....
Click the ... browse button, all files, navigate to C:\downloads, and select your abc.com+4.pfx or abc.com+4.p12 file.
For the password, type: changeit
Leave the Certificate Store set to Personal or Web Hosting, and click OK.
Your certificate is now added to Windows!

Step 3: Bind the Certificate to your Web Page:
Now you just need to tell your specific website to use this certificate on port 443.
In the left-hand Connections pane of IIS, expand the Sites folder and click on your specific website name.
In the right-hand Actions pane, click on Bindings....
In the Site Bindings window, click Add....
Change the settings in the prompt to match this layout:
  • -Type: https
    -IP address: All Unassigned (or select your server's specific local IP)
    -Port: 443
    -Host name: abc (Type your exact domain or subdomain here or leave empty if you don't have)
    -Require Server Name Indication (SNI): Check this box * SSL certificate:
    -Select your newly imported abc.com certificate from the dropdown menu.
Click ok, if you get a message about some intermediate certificate just ignore and go to next step.

Step 4
Open powershell as admin and run:

Code: Select all

ii $env:LocalAppData\mkcert
This will open the folder where your mkcert has saved the certificate files (mine is: C:\Users\Z2\AppData\Local\mkcert)
Inside this folder, look for a file named rootCA.pem
Duplicate that file and change its file extension from .pem to .crt (so it becomes rootCA.crt).

Step 5
Import the Root Certificate into the Windows Trust Store:
Right-click your newly renamed rootCA.crt file and select Install Certificate.
In the Certificate Import Wizard, select Local Machine and click Next. (If prompted by Windows Account Control, click Yes).
Place all certificates in the following store
Click Browse..., select Trusted Root Certification Authorities, and click OK.
Click Next and then Finish. You will see a popup saying "The import was successful."
Step 6: Restart IIS

If when you try to access the secure page from another PC security warnings annoy you, copy the rootCA.crt from the server to the PC and install it as you did in Step 5