Using OpenSSL for Windows to Create an SSL Certificate

Using OpenSSL for Windows to Create an SSL Certificate
This guide demonstrates how to create an SSL (Secure Socket Layer) certificate for a web based application. This does not include certificates for Internet facing applications. An SSL certificate is needed for an application or website that uses SSL. The guide assumes you already have a valid CA purchased and we will use that CA to sign a new request from. You can also read our article for Creating an SSL Self-CA Signed Certificate in Windows.
 
An SSL certificate is used to pass information from a host to client in an encrypted manner. This encryption provides superior security. Additionally, SSL provides authentication during a transfer, so you aren’t authenticating with someone you shouldn’t be. For Internet applications, this authentication is done through a master CA (Certificate of Authority). When you purchase an SSL, the SSL is signed with the domain name (example.com) and store in the purchaser’s master CA vault. At that point, Web Browsers verify your CA against other CA vaults to ensure it’s authentic in nature. This is extremely important for online credit card transactions.
 
SSL is important because it gains customers trust when browsing or performing an action. It also lets a user know they are performing a secure transaction or act on website or application. A visual indicator of SSL is green and a sitelock icon pictured like below.
 
Paypal SSL Solution Chicago
 
Credit Card transactions performed online required PCI (Payment Card Industry) compliance in order for a credit card merchant to process transactions. SSL plays a major part in this compliance.
 
Definitions:
Public Key: object you publish to the world to allow others to securely communicate with you over SSL
Private Key: the object you keep secret and allows you to encrypt and decrypt SSL communication.
 
To get started, we need to create a certificate signing request. You must know the exact URL of the website or application to create the SSL request for. In this example, we will renew a certificate for an application first by generating an SSL signing request.
 
Generate a Certificate Signing Request with IIS
  1. On the server with IIS, go to Administrator Tools -> Internet Information Services (IIS)
  2. Select the server name in the connections list.
  3. Server Connections
  4. Select Create Certificate Request in the actions menu on the left.
  5. Create Certificate Request
  6. You will be at the Distinguished Name Properties screen. It is absolutely important this information is as accurate as possible.
    1. Common Name: the complete fully qualified domain name for certificate
    2. Organization: Registered organization
    3. OU: department issuing certificate
    4. City: the city




    5. State: the state
    6. Country: country code
  7. Certificate Request Name Properties
  8. The next screen is Cryptographic Service Provider Properties
  9. Select the cryptographic service provider. The default is Microsoft RSA SChannel Cryptographic Provider.
  10. It is recommended to use 2048 bit-length or higher.
  11. Request Certificate
  12. Next, name the certificate request csr.txt
  13. Certificate File Name Solution Chicago
Now, we will use OpenSSL to create an internal signing request. If this request was for an external, Internet facing application, the request would be sent to the public CA issuer and then returned to you with a certificate file.
 
 
Signing the Certificate Request
  1. Download the OpenSSL binaries located here
  2. Install. You may need to install Microsoft Visual C++ 2008 Redistributables as SSL relies on this package.
  3. Now, create a new folder on your desktop. Call it certs.
  4. Next, open a windows command prompt. Start -> type cmd in run.
  5. Set 2 items
    1. In command prompt, type cd \certs
    2. In command prompt, set OpenSSL default folder.
    3. Type set RANDFILE=c:\certs\.rnd
    4. Type set OPENSSL_CONF=C:\OpenSSL-Win32\bine\openssl.cfg
  6. Ok, now run OpenSSL. Type c:\OpenSSL-Win32\bin\openssl.exe
  7. You will be at OpenSSL> prompt in command prompt similar to below.{loadposition adinarticlebottom
  8. SSL Prompt CMD Windows
  9. Commands to sign the request vary based on your requirements, but we can sign this request using the following parameters
    1. ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in /certs/csr.txt -keyfile keys/ca.key -days 3600 -out certs/iis.cer
    2. We signing the public key of the certificate with the organizations trusted root certificate, for example, *becomethesolution.com.
  10. You will recvieve a similar prompt 1 out of 1 certificate requests certified, commit?
  11. Type y
  12. Then you receive message Write out database with 1 new entries – Data Base updated
  13. Go back into IIS -> Directory Security and select Server Certificate button.
  14. Browse the new certificate by OpenSSL
  15. Use the default port number 443
  16. Click Finish.
  17. Now we need to export the certificate for where it will be used to be installed.
  18. In IIS, go to Website Properties -> Directory Security Tab -> View Certificate
  19. Certificate Details Windows
  20. Click on Details then click in bottom right Copy to File…
  21. Certificate Details Windows Chicago Solution
  22. Click next. Select Yes, export the private key. This is a critical step. Failing to do so will cause the SSL to fail.
  23. Certificate Export Wizard Windows
  24. Uncheck Enable Strong Protection and click next. The 3 checkboxes below should be not be checked pictured below.
  25. Cerificate Export Personal Information Windows
  26. You are prompted for a password. Type in something for this.
  27. Finally, choose an export path. The default file type will be a PFX file. Some systems, such as Unix, have a difficult time handling these file types. You can go to SSL Converter and select from other file types including PEM/DER/P7B.
  28. You're done!

*Remember* - you can purchase your Certificate of Authority now at our online store located here

 

* Please use the comment form below. Comments are moderated.*



Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 19 December 2024