Creating SSL certificates using openssl Rumi, November 26, 2010 Here was my requirements- I need one of my domain (it was actually an IP redirection) with SSL setup on my IIS 6 (windows 2003 server) system. The IIS have several virtual hosted domains already and one of them needed this SSL setup For some reason- Windows openssl didn't give me a mental level of satisfaction, so I used my Linux box (CentOS 5.5 x86) and have my openssl installed. The installation path on centos was /etc/pki/tls/ openssl.cn file location was /etc/pki/tls/ My directory structure was /tmp/ssl/ requests keys certs Now rest goes as below- Set up a Certificate Authority (CA) First, create a 1024-bit private key to use.: openssl genrsa -des3 -out /tmp/ssl/keys/ca.key 1024 Loading 'screen' into random state - done warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ...........++++++ ..................++++++ e is 65537 (0x10001) Enter PEM pass phrase: - choose a memorable pass phrase to use for this key Verifying password - Enter PEM pass phrase: - type your pass phrase again for verification The pass phrase will be requested whenever you use this certificate for anything. This will create a file called /tmp/ssl/keys/ca.key, containing our certificate authority private key. Next, create a master certificate based on this key, to use when signing other certificates: openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -days 1001 -key /tmp/ssl/keys/ca.key -out /tmp/ssl/certs/ca.cer Using configuration from openssl.conf Enter PEM pass phrase: - type your passphrase here. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:GB State or Province Name (full name) []:Hampshire Locality Name (eg, city) []:Southampton Organization Name (eg, company) []:dylanbeattie.net Organizational Unit Name (eg, section) []: Common Name (eg, your websites domain name) []:ssl.dylanbeattie.net Email Address []:ssl@dylanbeattie.net This will create a CA certificate and store it as /tmp/ssl/certs/ca.cer Export the CA certificate in PKCS12 format – this will allow Windows users to import the PKCS12 certificate into their Trusted Root Store, so they don't get warning messages every time they use the certificates. Convert a certificate to DER form using the command (I didn't need this, but someone may need it!): openssl x509 -in ca.pem -outform DER -out ca.der Create an IIS Certificate Request Open IIS website properties on the target server and start the SSL request process – follow the IIS steps as instructed. You should end up with a file called certreq.txt. Sign the Certificate Request Copy the certreq.txt file into /tmp/ssl/requests Sign the request openssl ca -policy policy_anything -config /etc/tmp/pki/tls/openssl.cnf -cert /tmp/ssl/certs/ca.cer -in /tmp/ssl/requests/certreq.txt -keyfile /tmp/ssl/keys/ca.key -days 360 -out /tmp/ssl/certs/iis.cer Using configuration from openssl.conf Loading 'screen' into random state - done Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows commonName :PRINTABLE:'myCommonName' organizationalUnitName:PRINTABLE:'myOrganisationalUnit' organizationName :PRINTABLE:'myOrganisation' localityName :PRINTABLE:'myLocality' stateOrProvinceName :PRINTABLE:'myProvince' countryName :PRINTABLE:'GB' Certificate is to be certified until Aug 7 01:12:12 2006 GMT (360 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Command-line options: -policy policy_anything – specifies that we're using the 'policy_anything' policy from our openssl.conf file. This is a relaxed policy in which the name, country, etc. in the certificate don't need to match those used by the certification authority. Use -policy policy_match for a more restrictive CA. -config openssl.cnf – specifies we're reading our configuration from openssl.conf in the current directory. -cert certs/ca.cer – specifies we're using our CA master certificate to sign the request. -in requests/certreq.txt – the certificate request we're signing. -keyfile keys/ca.key – the private key for our CA master certificate, which proves we're allowed to use it. -days 360 – the time until the certficate will expire -out certs/iis.cer – the file in which to place our newly-signed certificate Convert the signed certificate into x509 format for use with IIS (I didn't need this either!): openssl x509 -in certs/iis.cer -out certs/iisx509.cer This will leave the new certificate in /tmp/ssl/certs/sx509.cer – signed, sealed and ready to install Install the new certificate under IIS The iisx509.cer file is the certificate response file which should be copied to the target server. Open IIS website properties on the target server and start the SSL installation process – follow the IIS steps as instructed. Comments: My certificate was ended to iis.cer Resources: http://www.somacon.com/p41.php http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html http://www.ruleworks.co.uk/info/openSSL.htm http://octaldream.com/~scottm/talks/ssl/opensslca.html Administrations Configurations (Linux) Configurations (Windows)