Initial Setup
Create a working directory, we’ll assume c:openSSLwork. Then create the following folder structure:
work/
keys/
requests/
certs/
Create a config file, openssl.conf in the work directory using this content:
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = .rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
certs = certs # Where the issued certs are kept
crl_dir = crl # Where the issued crl are kept
database = database.txt # database index file.
new_certs_dir = certs # default place for new certs.
certificate = cacert.pem # The CA certificate
serial = serial.txt # The current serial number
crl = crl.pem # The current CRL
private_key = privatecakey.pem # The private key
RANDFILE = privateprivate.rnd # private random number file
x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your website's domain name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ x509v3_extensions ]
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType
Create an empty database.txt file in the work directory.
Create a serial.txt file in the work directory that contains the following (the numbers 01 followed by RETURN):
01
- Create a 1024-bit private key for use in creating the CA (this will prompt you for a password; remember it, as you’ll need it when you’re signing certs!):
..binopenssl genrsa -des3 -out keysca.key 1024
- Create a master certificate based on this key (for use in signing other certs):
..binopenssl req -config openssl.conf -new -x509 -days 1001 -key keysca.key -out certsca.cer
- Export the CA cert in a DER file for windows users to import into their Trusted Root Store:
..binopenssl x509 -in certsca.cer -outform DER -out certsca.der
@echo off
REM This batch file is used to create server certificates from certificate request files.
REM USAGE: ca_create_server_cert.bat [inputfilename] [outputfile]
REM If either of the command line paramters are missing, you will be prompted for it.
SET basedir=c:openssl
if "%1"=="" (
SET /P requestfile="Enter certificate request filename (should already be in %basedir%workrequests): "
) ELSE (
SET requestfile=%1
)
if "%2"=="" (
SET /P outputfile="Enter output filename (with no extension): "
) ELSE (
SET outputfile=%2
)
REM change to the work directory
cd %basedir%work
echo requestfile=%requestfile%
echo outputfile=%outputfile%
echo binpath=%binpath%
REM create the certificate
%basedir%binopenssl ca -policy policy_anything -config openssl.conf -cert certsca.cer -in requests%requestfile% -keyfile keysca.key -days 730 -out certs%outputfile%.cer.TMP
REM convert it to an x509 format cert for IIS
%basedir%binopenssl x509 -in certs%outputfile%.cer.TMP -out certs%outputfile%_x509.cer
echo If there were no error messages, the new certificate is located in:
echo %basedir%workcerts%outputfile%_x509.cer
- First create the server certificate request in IIS
- Place the request file in the “requests” directory
- Run ca_create_server_cert.bat and follow the prompts
- Take the output certificate (.cer) file and install it in IIS