Using OpenSSL to create a certificate authority on Windows

Initial Setup
Create a working directory, we’ll assume c:openSSLwork. Then create the following folder structure:

work/
keys/
requests/
certs/

Create a config file, openssl.conf in the work directory using this content:


# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE = .rnd

####################################################################

[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

certs = certs # Where the issued certs are kept
crl_dir = crl # Where the issued crl are kept
database = database.txt # database index file.
new_certs_dir = certs # default place for new certs.

certificate = cacert.pem # The CA certificate
serial = serial.txt # The current serial number
crl = crl.pem # The current CRL
private_key = privatecakey.pem # The private key
RANDFILE = privateprivate.rnd # private random number file

x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your website's domain name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

[ x509v3_extensions ]
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType



Create an empty database.txt file in the work directory.

Create a serial.txt file in the work directory that contains the following (the numbers 01 followed by RETURN):

01



Create Certificate Authority Stuff
  1. Create a 1024-bit private key for use in creating the CA (this will prompt you for a password; remember it, as you’ll need it when you’re signing certs!):
    ..binopenssl genrsa -des3 -out keysca.key 1024
  2. Create a master certificate based on this key (for use in signing other certs):
    ..binopenssl req -config openssl.conf -new -x509 -days 1001 -key keysca.key -out certsca.cer
  3. Export the CA cert in a DER file for windows users to import into their Trusted Root Store:
    ..binopenssl x509 -in certsca.cer -outform DER -out certsca.der
At this point your CA should now be setup.
Create a batch file for handling certificate requests
Since you’ll presumably be handling many certificate requests, here’s a windows batch file to automate the process (we’ll name it “ca_create_server_cert.bat”):


@echo off
REM This batch file is used to create server certificates from certificate request files.
REM USAGE: ca_create_server_cert.bat [inputfilename] [outputfile]
REM If either of the command line paramters are missing, you will be prompted for it.

SET basedir=c:openssl
if "%1"=="" (
SET /P requestfile="Enter certificate request filename (should already be in %basedir%workrequests): "
) ELSE (
SET requestfile=%1
)

if "%2"=="" (
SET /P outputfile="Enter output filename (with no extension): "
) ELSE (
SET outputfile=%2
)

REM change to the work directory
cd %basedir%work

echo requestfile=%requestfile%
echo outputfile=%outputfile%
echo binpath=%binpath%

REM create the certificate
%basedir%binopenssl ca -policy policy_anything -config openssl.conf -cert certsca.cer -in requests%requestfile% -keyfile keysca.key -days 730 -out certs%outputfile%.cer.TMP

REM convert it to an x509 format cert for IIS
%basedir%binopenssl x509 -in certs%outputfile%.cer.TMP -out certs%outputfile%_x509.cer

echo If there were no error messages, the new certificate is located in:
echo %basedir%workcerts%outputfile%_x509.cer
Signing a server certificate request
We’ll use IIS as the server in this example.
  • First create the server certificate request in IIS
  • Place the request file in the “requests” directory
  • Run ca_create_server_cert.bat and follow the prompts
  • Take the output certificate (.cer) file and install it in IIS


Shopping Cart
Scroll to Top