Enabling SSL encryption in IIS7 on Vista

If you're developing web-sites you intend to deploy on IIS, it's useful to develop on IIS7 and Vista, since it's a good, easy approximation of the live, deployed website.  Having fewer differences between development and deployment environments makes you life easier.

If your site is using SSL (https URLs), it can be useful to enable that too on your development machine.  It's extremely simple on IIS7 in Vista, since the IIS7 Manager included with Vista can generate a self-signed SSL certificate for you.  This certificate will generate a warning when you browse to it (since you and no trusted third party signed the certificate), but otherwise it's fully functional.

To enable SSL with a self-signed certificate you first need to create such a certificate.  This is done ins IIS Manager Server Certificates section:

Then click on "Create Self-Signed Certificate":

 

You'll need to fill in a friendly name.  I chose "Progress.NET localhost development cert in this screenshot:

 

Once you've created such the certificate, you need to turn on SSL (i.e. https) support for the website you're developing.  You do this by adding a binding to the website:

 

Choose to make a "Type https" binding (it'll automatically select the default https port 443):

 

Then select the certification you've just made:

 

That's it! You can now browse to https://localhost/ and view your local website in SSL.  Remote users can also do so (if your firewall lets them connect at all).

SSL certifications are specific to a certain hostname.  However, the SSL certificate you created is for the hostname of your machine - whatever IIS7 happens to believe it is (this depends on your domain and computer name, for instance).  You can connect using a different name, such as localhost, but if unless you connect with the "proper" name, your browser will issue a warning.

You can find the name the certificate was issued to in IIS Manager's "Server Certificates" section:

 

My machine's called "PC219.cowog.local" here, so my browser won't warn me about the phishy URL if I connect to https://pc219.cowog.local/ - although some browsers will still warn you since the issuer (your own machine) isn't a trusted authority.  In any case, you can safely ignore these warnings.