How to create a self-signed certificate with openssl that includes SANs (subject alternative names).

New to Lansweeper here. This is my first post. There is one post in the forum about creating self-signed SSL certs but I had a hell of time trying to make it work. And the official guide from Lansweeper only shows how to change the cert but doesn't outline how to make it successfully work with a self-signed cert.

Hope this is helpful for others.

How to create a self-signed certificate with openssl that includes SANs (subject alternative names).

NOTE: OpenSSL can be ran in multiple ways. One way on Windows is to install this https://slproweb.com/products/Win32OpenSSL.html.

1. Create a new <servername>.cfg file in Notepad with the following info updated for the cert. Add/Remove DNS info if more or less SANs are needed

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
x509_extensions = req_ext

[ dn ]
CN = servername.contoso.com
emailAddress = email@contoso.com
O = Company Name
OU = Department
L = City
ST = State in 2 letter format
C = US

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = servername.contoso.com
DNS.2 = servername
DNS.3 = servername.domain.local

--------------

2. Run the following openssl commands in order. Note make sure to change directory to the same directory your <servername>.cfg file is in.

# Generates a 256 RSA key
openssl genrsa -out <servername>.key 2048

# Generates a PEM certificate with settings defined in <servername>.cfg. Update -days switch to how many days you want the cert valid for, this example is 10 years.
openssl req -new -x509 -sha256 -days 3650 -config <servername>.cfg -key <servername>.key -out <servername>.pem

# Verify settings defined in PEM cert, specifically make sure the SANs are present in the cert.
openssl x509 -in <servername>.pem -text -noout

# Converts PEM to PKCS12 which are better supported on Windows. You will be prompted to set a certificate password. Remember this password as you will need it to import into Certificate Manager on the Lansweeper Server later.
openssl pkcs12 -export -out <servername>.pfx -inkey <servername>.key -in <servername>.pem

-------------

How to import and update the SSL certificate on your Lansweeper site.

1. Copy .pfx file to Lansweeper server, and import it twice.

a. first import it into Local Machine -> Personal
b. second import it into Local Machine -> Trusted Root Certification Authorities

Note: Use the password you set during the certificate creation process during the imports.

Another Note: I battled with this for quite a while as nothing I found says where you import the self-signed certificate. First I tried just Local Machine -> Trusted Root Certification Authorities, but when I'd re-start IISExpress, all browsers I tried were throwing the "Can't connect securely to this page: This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website owner." with no way to ignore or continue to the site. Through trial and error and some research on IISExpress I found that you also have to have the certificate imported to Local Machine -> Personal as well. Then you get the ability to ignore the certificate warning and continue to the site.

2. Once it's imported to both locations, run the procedure found here: https://www.lansweeper.com/knowledgebase/how-to-configure-ssl-in-iis-express/ to update the IISExpressSvc.exe.config file to update the two values

a. "UseCustomSSLCertificate" to 1
b. "CertificateThumbPrint" with the thumbprint of the new certificate.

3. Restart IISExpress service on Windows.

4. Verify the site is working with the newly updated self-signed certificate.

5. If all is good, from your desktop using IE, open your Lansweeper website, click View Certificate, then Install Certificate and place it in Local Machine -> Trusted Root Certificate Authorities. (Do not install the certificate you imported on the Lansweeper server that is password protected, better to do the one with no password that is on your Lansweeper site). Also no need to install this cert on desktops under Personal, that's only needed on the server for IISExpress to present the certificate properly on the site.

6. If you want you can also export that same certificate from your local machine in a format for distribution via GPO so all computers have it as well.

a. On you local PC, open Manage Computer Certificates.
b. Find your Lansweeper certificate under Trusted Root Certification Authorities.
c. Right-click the certificate -> All tasks -> Export.
d. Choose DER encoded binary X.509 (.CER)
e. Choose a location and name your file to export.
f. from Group Policy Management console, create a new GPO to distribute your exported certificate.
g. In the GPO under, add the certificate under Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities -> Certificates.
h. Link GPO to OUs with your computers in it.
i. Run gpupdate /force to force the certificate to update on those PCs, or wait long enough and it will update automatically.