Better, Faster, Easier SSL testing for ASP.NET MVC & WebForms

ScottHa has a great blog Working with SSL at Development Time is easier with IISExpress, but I’ve got what I think is a better approach. Please weigh in.

In this blog entry I’ll show you how to test SSL on your ASP.NET MVC & WebForms  applications using IIS 7. You should make sure you have IIS 7 set up on your Windows 7 computer before proceeding. See my blog Test your ASP.NET MVC or WebForms Application on IIS 7 in 30 seconds for instructions.

Create a new ASP.NET MVC 3 Application called MvcSSL in the C:\Webs folder. Accept all the defaults.


WARNING: IIS cannot run an ASP.NET project that has been created in the default Visual Studio project folder (C:\users\<user>\Documents\Visual Studio 2010\Projects). Select a folder where IIS can access the files, such as C:\Webs.

Build and run the application.

Right click the solution and select Properties.


  1. Select Web in the left pane.
  2. Under Servers, select the Use Local IIS Web server radio button.
  3. Select the Create Virtual Directory button.


Should you get the message:

Unable to create the virtual directory. To access Web sites on the local IIS Web server, you must run Visual Studio under an Administrator account.


Read it and follow the directions and you’ll be rewarded with a friendlier message.


Now go back to IIS manager, refresh and drill down in the Default Web Site. Select Browse *:80(http) in the right pane.


Adding a SSL Cert the Super Ninja way.

  1. Download and unzip Thomas Demels awesome SelfSSL7 tool. Read about SelfSSL7 here.
  2. Open a administrative command prompt in the SelfSSL7 directory.
  3. Substitute your machine name for Q3 (which was my machine) and run the following command:
    SelfSSL7.exe /Q /T /I "Default Web Site" /N cn=Q3;cn=localhost /V 1000

That’s it. You now have a self signed certificate for testing.

Open Global.asax and add RequireHttps to all controllers and action methods.

 public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
           filters.Add(new RequireHttpsAttribute());  
           filters.Add(new HandleErrorAttribute());

Build the application and refresh the browser. Note IIS Manager now includes the SSL port.



Click on the lock icon to examine the certificate.


Next Steps

Change the URL to use the machine name instead of localhost.


To access this site from a remote computer, you’ll probably have to open up port 443.

To configure the firewall for HTTPS (port 443)

  1. From the Start menu, enter wf.msc


  2. In the console tree, click Inbound Rules, and then click New Rule.


  3. In the Rule Type page, click Port, and then click Next.


  4. On the Protocols and Ports page, select TCP, and then click Specific local ports.  Enter port 443. Then click Next.


    5. On the Action page, click Allow the connection, and then click Next.


    6. On the Profile page, make sure that the Domain, Private, and Public check boxes are selected, and then click Next to accept the default profile.


    7. On the Name page, under Name,  type something like World Wide Web Services (Rick’s HTTPS Traffic-In).


  5. You can now test the the site from a remote computer, but it won’t be trusted.



  6. Export the certificate and import on a remote computer. Run the following command (change the computer name from Q1 to your computer).

C:\Users\ricka\Downloads\SelfSSL7>SelfSSL7.exe /Q /T /I "Default Web Site" /N cn=Q1;cn=localhost /

V 1000 /K 2048 /X /F q1.pfx /W 5$ecURE!

  • Navigate to the PFX file from a remote computer. Double click on the PFX file to start the import wizard.


  • Select Next.


  • Select Next and enter the password. (I used 5$ecURE! in the example).


  • Select Place all certificates in the following store, then select Browse.


  • Click OK.


  • Click Finish.


  • You should now be able to browse from the remote computer without warning.

Testing with FireFox

  1. Using FireFox,, browse to the MvcSSL site. FireFox will issue a warning and not display the page.


  2. Select Add Exception.


  3. You can now browse to the site without a warning.