Creating SSL certificates using openssl

Rumi,

Here was my requirements-

  • I need one of my domain (it was actually an IP redirection) with SSL setup on my IIS 6 (windows 2003 server) system.
  • The IIS have several virtual hosted domains already and one of them needed this SSL setup
  • For some reason- Windows openssl didn't give me a mental level of satisfaction, so I used my Linux box (CentOS 5.5 x86) and have my openssl installed.
  • The installation path on centos was /etc/pki/tls/
  • openssl.cn file location was /etc/pki/tls/
  • My directory structure was
    • /tmp/ssl/
      • requests
      • keys
      • certs

Now rest goes as below-

Set up a Certificate Authority (CA)

  1. First, create a 1024-bit private key to use.: 
    openssl genrsa -des3 -out /tmp/ssl/keys/ca.key 1024
Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...........++++++
..................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:  - choose a memorable pass phrase to use for this key
Verifying password - Enter PEM pass phrase:  - type your pass phrase again for verification

    The pass phrase will be requested whenever you use this certificate for anything.

  2. This will create a file called /tmp/ssl/keys/ca.key, containing our certificate authority private key.
  3. Next, create a master certificate based on this key, to use when signing other certificates: 
    openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -days 1001 -key /tmp/ssl/keys/ca.key -out /tmp/ssl/certs/ca.cer
Using configuration from openssl.conf
Enter PEM pass phrase:  - type your passphrase here.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:GB
State or Province Name (full name) []:Hampshire
Locality Name (eg, city) []:Southampton
Organization Name (eg, company) []:dylanbeattie.net
Organizational Unit Name (eg, section) []:
Common Name (eg, your websites domain name) []:ssl.dylanbeattie.net
Email Address []:ssl@dylanbeattie.net


This will create a CA certificate and store it as /tmp/ssl/certs/ca.cer
  4. Export the CA certificate in PKCS12 format – this will allow Windows users to import the PKCS12 certificate into their Trusted Root Store, so they don't get warning messages every time they use the certificates.

    Convert a certificate to DER form using the command (I didn't need this, but someone may need it!):

    openssl x509 -in ca.pem -outform DER -out ca.der

 



Create an IIS Certificate Request


Open IIS website properties on the target server and start the SSL request process – follow the IIS steps as instructed. 

	You should end up with a file called certreq.txt.


Sign the Certificate Request


    

  1. Copy the certreq.txt file into /tmp/ssl/requests
    2. 

  2. Sign the request

    openssl ca -policy policy_anything -config /etc/tmp/pki/tls/openssl.cnf -cert /tmp/ssl/certs/ca.cer 
       -in /tmp/ssl/requests/certreq.txt -keyfile /tmp/ssl/keys/ca.key -days 360 -out /tmp/ssl/certs/iis.cer
Using configuration from openssl.conf
Loading 'screen' into random state - done
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
commonName            :PRINTABLE:'myCommonName'
organizationalUnitName:PRINTABLE:'myOrganisationalUnit'
organizationName      :PRINTABLE:'myOrganisation'
localityName          :PRINTABLE:'myLocality'
stateOrProvinceName   :PRINTABLE:'myProvince'
countryName           :PRINTABLE:'GB'
Certificate is to be certified until Aug  7 01:12:12 2006 GMT (360 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated



    

    Command-line options:
    

      

    • -policy policy_anything – specifies that we're using the 'policy_anything' policy from our openssl.conf file.
      • 

    • This is a relaxed policy in which the name, country, etc. in the certificate don't need to match those used by the certification authority.
      • 

    • Use -policy policy_match for a more restrictive CA.
      • 

    • -config openssl.cnf – specifies we're reading our configuration from openssl.conf in the current directory.
      • 

    • -cert certs/ca.cer – specifies we're using our CA master certificate to sign the request.
      • 

    • -in requests/certreq.txt – the certificate request we're signing.
      • 

    • -keyfile keys/ca.key – the private key for our CA master certificate, which proves we're allowed to use it.
      • 

    • -days 360 – the time until the certficate will expire
      • 

    • -out certs/iis.cer – the file in which to place our newly-signed certificate
      • 

    

    3. 

  3. Convert the signed certificate into x509 format for use with IIS (I didn't need this either!):

    openssl x509 -in certs/iis.cer -out certs/iisx509.cer

     
    

    This will leave the new certificate in /tmp/ssl/certs/sx509.cer – signed, sealed and ready to install
    4. 



Install the new certificate under IIS


The iisx509.cer file is the certificate response file which should be copied to the target server.

	Open IIS website properties on the target server and start the SSL installation process – follow the IIS steps as instructed.


 




	Comments:


My certificate was ended to iis.cer


	Resources:


http://www.somacon.com/p41.php


http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html


http://www.ruleworks.co.uk/info/openSSL.htm


http://octaldream.com/~scottm/talks/ssl/opensslca.html


			

				Administrations Configurations (Linux) Configurations (Windows)							

		

	



	


    	

		
Leave a Reply
Your email address will not be published. Required fields are marked *