This great post over at iis.net by Thomas Deml that explains the new features of selfssl7 and has a link to download this tool:

Download selfSSL7

SelfSSL7 has the following features:

• The site name SSL is to be configured on
• The IP address
• The port
• Add as a trusted root certificate
• Export to a pfx file
• One or more configurable common name
• Configurable expiration date
• Configurable key size

You can see all the examples of use and features at Thomas Deml’s post ( http://blogs.iis.net/thomad/archive/2010/04/16/setting-up-ssl-made-easy.aspx)

What a great new tool.  We are excited to use this to secure our internal applications and use it for testing.  I hope the IIS team keeps up the great work and continues to push out tools like this.

Many people have emailed me about how to setup and ssl on their development environment or internal sites without paying for a certificate.  Here are the steps to secure your local IIS server (windows 2003) with a self signing ssl.

You will need to download the IIS 6.0 Resource kit from Microsoft – (here)

Install just the selfssl (or everything if you want to use the resource kit)

Download the resource kit.  Execute the iis60rkt.exe and select next on welcome page. You will have to agree to the license.  Select Next, and select the Custom install option to just install the SelfSSL 1.0 program.

Select your directory, for this example I will just use the default. C:\program files\iis resources\.  For this example I am only selecting the SelfSSL option

Select next to install and finish when it is done.

Install should be complete.

Create Certificate

We will now create a certificate.  Open a command (DOS) window. Start | run | cmd.  Change directory to the location where you installed the resource kit.  I chose the default location c:\program files\iis resources.  To do this type “cd c:\program files\iis resources\selfssl” in the Command window.

Once in the resource kit directory you can use the selfssl.exe program to create a certificate.  If you run the program “selfssl.exe /? “ You will see all the options available.

We will be using a few options to modify our certificate to allow for a FQDN (Fully Qualified Domain name) [/N:CN]and the correct Site ID [/S]

Before we can run the command and install the certificate we need to find the site id for the particular IIS site that we want to have the ssl bound to.   If you are running only one site on the server and it is default then you can use the /S:1 (default site) option.   I typically turn off the default site on my servers for security reasons and have more than one site running.  To find an IIS site id there are a few options.  I prefer the simple route of viewing the log file for that site and showing the properties there.

In this example I will be creating an SSL for the IIS web site (somedomain.com).  You can see from the image of my iis manager screen the site.

To find the site ID for this particular site (somedomain.com) we can right click and select properties.  From the site properties window under the “Web Site” tab select the logging properties button.

This will open the logging properties window.  On this window the log file name will include the Site ID

In this example the site ID we are going to be working with is 1341291934.  The log file name included the site ID after the starting W3SVC.

We now go back to our command window and will run the selfssl executable with the following commands.

Selfssl.exe /T /N:CN=somedomain.com /S: 1341291934

This command will create a certificate with the following options:
/T = Adds the local certificate to the trusted certificates list
/N:CN = the fully qualified domain name used for the site (somedomain.com) this would be your site name www.yourintranet.com
/S:1341291935 = Site ID (you got this from log file name on iis) 1 = the default site

You have now created an SSL certificate for the siteID you have chosen and can view the site properties and see your certificate will listen on Port 443 (SSL)

This is a simple and quick way to use SSL and encryption on your local sites and intranets.  I would not recommend using this method to secure a production server or a server on the Internet.  Please use a purchased signed SSL certificate.

Let’s tackle each of the above questions.

1. Which provider is the best? There are a ton of ssl providers to choose from. I could spout off at least 10 from the top of my head. The first one people always mention when I ask them is Verisign. Verisign has the name recognition and probably has been around the longest. I have used them many times over the years, when clients complained about verisign’s cost (starts at 700) I often refered them to

Thawte Thawte was actually purchased by VeriSign. These prices have changed over the years with competition and many new providers offering cheaper solutions. With all this said I would still rank Verisign the best by name recognition and over all security (they do their homework before issuing you a certificate.

2. What does an SSL certificate cost? I have seen prices range from 1000’s to free. A typical ssl will run between 800 (VeriSign) to 50 (godaddy). Price can vary on the strength of the cert, security assurance, wild cards and warranty. Free SSL certs are available and you can generate your own.

3. Which of the cheaper providers are the best?
If you do a search for

SSL purchase you will find dozens of providers and ranges of pricing. Almost all the major hosting providers offer ssl cert now. I am not sure when these providers started, but competition is good. In the early days of iis 4 you really only had a few choices of providers. I have not done a shoot out or comparison of providers but I can say that in my experience that godaddy does offer a very attractive price and robust ssl cert. I have used them frequently in the last year with great success.

4. Should I self ssl?
Self SSL is a term where a server will sign it’s own certificate. This is commonly used in internal sites(intranet) where the data is needed to be encrypted by local trusted computers. Self SSL’s are good to secure data that is not of high value. It is not recommended to use a self signing ssl on your e commerce site.

5. Are their Free SSL providers?
Yes, there are some free providers that will validate and sign your certificate. I am a big fan of

CAcert. I use them frequently. However, I will say the same thing, you should not use this on a site where security is critical say an e commerce site. I use these certs to secure (dashboards, admin sections of sites, development environments, QA sites, user administration, etc…)

All of the information I have discussed is from my experiences. There are a few great references out there for you to read before listening to my selections. I recommend reading the ssl comparison from (WhichsSL) http://www.whichssl.com/comparisons/index.html

There are 3 or 4 ftp servers I would recommend using with IIS that allow for secure ftp.  I won’t go into the benifits of each type of secure ftp (FTP over ssl, ssh, or sftp).  I will mention some of the products I have evaulated and used in my past projects:

Globalscape Secure ftp server (http://www.cuteftp.com/gsftps/) – This was the first secure ftp server I have ever installed an used.  I found it very easy to configure and integrate into an environment.  I was very successful using the Active Directory user model as well.  I think this may be the only product that can integrate with AD (don’t quote me)  The price for globalscape is also reasonable – $490 is not that much to pay for a reliable and supported server software.  I have used this product since the early days and found that version 2.0 was a bit buggy on 2003 (when Server 2003 came out)  However the Globalscape team updated the software and corrected the issues very quickly.  The newer version have been able to handle 1000’s of transactions for me in the past, with great reliability.  The secure part of the server worked well with almost any client, Filezilla (more on Filezilla to come) and also other vendors ftp clients.

Glub Tech – Secure FTP (http://www.glub.com/products/secureftp/) – This is the only product I have not used in a production environment.  The install is fairly painless, but I found the configuration and use a bit cumber sum. I also liked the price (25) but was not sure on the licensing if that was for the client or the server.  I only list this one because it is found on most searches.

Ipswitch – WS FTP server – (http://www.ipswitch.com/products/ws_ftp-server/index.asp?t=features)  Ipswitch also makes a fine product.  The cost $395 is very reasonable.  I found it was very easy to install but hard to navigate through the options.  I also have used this in a production environment for a few years and found the reliability very good.  The secure section of this product did not work well with other client than the IPswitch client.  I never got over the fact that it did not play well with other clients.

Filezilla server (http://filezilla.sourceforge.net/) – I did not discover this product until I had been using globalscape for about a year and a half.  When I fisrt stumbled upon it after using the Filezilla ftp client with the globalscape server.  I did not know what to make of beta ftp servers running in a production environment.  Since that time I have deployed this server in about 3- 5 environments with great success.   It is a fantastic FTP server as well as a Secure ftp server.   It allows you to use all the mentioned protocols above. If you are in need of sending secure files I would recommend trying this out.  You cannot beat the cost (FREE).
I hope this information helps out the next Admin that is in need of some secure file transfers.

It is worth mentioning some other products available. They may not be the same as Secure ftp but they do allow for secure communication.

OPEN SSH on windows – (http://sshwindows.sourceforge.net/ )  this is a little gem if you are willing to work through a tough install and configuration.  Once you have this running you can use Filezilla (client) and connect to a windows machine via SSH and use it like an ftp server.

SSL Explorer – (http://www.sshtools.com/showSslExplorer.do) – this is more of a vpn solution, but it works very well.  It creates a SSL based vpn and you can transfer files via that.  They offer a free solution for non commercial use.

UPDATE:

Since writing this post I have taken to using SSH or rather SCP to transfer files.   In the windows world I have had great success with freesshd.

FreeSSHd (or freeftpd): (http://www.freesshd.com/) a great windows implementation of ssh.  It allows you to set user information and rules.

There are 3 or 4 ftp servers I would recommend using with IIS that allow for secure ftp.  I won’t go into the benifits of each type of secure ftp (FTP over ssl, ssh, or sftp).  I will mention some of the products I have evaulated and used in my past projects:

Globalscape Secure ftp server (http://www.cuteftp.com/gsftps/) – This was the first secure ftp server I have ever installed an used.  I found it very easy to configure and integrate into an environment.  I was very successful using the Active Directory user model as well.  I think this may be the only product that can integrate with AD (don’t quote me)  The price for globalscape is also reasonable – $490 is not that much to pay for a reliable and supported server software.  I have used this product since the early days and found that version 2.0 was a bit buggy on 2003 (when Server 2003 came out)  However the Globalscape team updated the software and corrected the issues very quickly.  The newer version have been able to handle 1000’s of transactions for me in the past, with great reliability.  The secure part of the server worked well with almost any client, Filezilla (more on Filezilla to come) and also other vendors ftp clients.

Glub Tech – Secure FTP (http://www.glub.com/products/secureftp/) – This is the only product I have not used in a production environment.  The install is fairly painless, but I found the configuration and use a bit cumber sum. I also liked the price (25) but was not sure on the licensing if that was for the client or the server.  I only list this one because it is found on most searches.

Ipswitch – WS FTP server – (http://www.ipswitch.com/products/ws_ftp-server/index.asp?t=features)  Ipswitch also makes a fine product.  The cost $395 is very reasonable.  I found it was very easy to install but hard to navigate through the options.  I also have used this in a production environment for a few years and found the reliability very good.  The secure section of this product did not work well with other client than the IPswitch client.  I never got over the fact that it did not play well with other clients.

Filezilla server (http://filezilla.sourceforge.net/) – I did not discover this product until I had been using globalscape for about a year and a half.  When I fisrt stumbled upon it after using the Filezilla ftp client with the globalscape server.  I did not know what to make of beta ftp servers running in a production environment.  Since that time I have deployed this server in about 3- 5 environments with great success.   It is a fantastic FTP server as well as a Secure ftp server.   It allows you to use all the mentioned protocols above. If you are in need of sending secure files I would recommend trying this out.  You cannot beat the cost (FREE).
I hope this information helps out the next Admin that is in need of some secure file transfers.

It is worth mentioning some other products available. They may not be the same as Secure ftp but they do allow for secure communication.

OPEN SSH on windows – (http://sshwindows.sourceforge.net/ )  this is a little gem if you are willing to work through a tough install and configuration.  Once you have this running you can use Filezilla (client) and connect to a windows machine via SSH and use it like an ftp server.

SSL Explorer – (http://www.sshtools.com/showSslExplorer.do) – this is more of a vpn solution, but it works very well.  It creates a SSL based vpn and you can transfer files via that.  They offer a free solution for non commercial use.

UPDATE:  (FTPs from IIS7) – FTP 7.5 from microsoft (a separate download) enables secure ftp. http://learn.iis.net/page.aspx/310/what-is-new-for-microsoft-and-ftp-75/