Saturday, July 11, 2009

Using OpenSSL to create a certificate authority on Windows

I've used OpenSSL to create certificates for testing on my windows machines. I'll outline the basic steps I followed to setup OpenSSL and use it to sign certificate requests. I found Dylan Beattie's how-to very useful in getting this working.

These instructions assume Windows XP, and that you have some basic knowledge of the IIS web server.

First, install OpenSSL. You can download a Windows installer and binaries here.

Initial Setup
Create a working directory, we'll assume c:\openSSL\work. Then create the following folder structure:




work/
keys/
requests/
certs/
Create a config file, openssl.conf in the work directory using this content:




# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE = .rnd

####################################################################

[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

certs = certs # Where the issued certs are kept
crl_dir = crl # Where the issued crl are kept
database = database.txt # database index file.
new_certs_dir = certs # default place for new certs.

certificate = cacert.pem # The CA certificate
serial = serial.txt # The current serial number
crl = crl.pem # The current CRL
private_key = private\cakey.pem # The private key
RANDFILE = private\private.rnd # private random number file

x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your website's domain name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

[ x509v3_extensions ]
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType


Create an empty database.txt file in the work directory.

Create a serial.txt file in the work directory that contains the following (the numbers 01 followed by RETURN):


01



Create Certificate Authority Stuff

  1. Create a 1024-bit private key for use in creating the CA (this will prompt you for a password; remember it, as you'll need it when you're signing certs!):
    ..\bin\openssl genrsa -des3 -out keys\ca.key 1024
  2. Create a master certificate based on this key (for use in signing other certs):
    ..\bin\openssl req -config openssl.conf -new -x509 -days 1001 -key keys\ca.key -out certs\ca.cer
  3. Export the CA cert in a DER file for windows users to import into their Trusted Root Store:
    ..\bin\openssl x509 -in certs\ca.cer -outform DER -out certs\ca.der

At this point your CA should now be setup.

Create a batch file for handling certificate requests

Since you'll presumably be handling many certificate requests, here's a windows batch file to automate the process (we'll name it "ca_create_server_cert.bat"):



@echo off
REM This batch file is used to create server certificates from certificate request files.
REM USAGE: ca_create_server_cert.bat [inputfilename] [outputfile]
REM If either of the command line paramters are missing, you will be prompted for it.

SET basedir=c:\openssl\
if "%1"=="" (
SET /P requestfile="Enter certificate request filename (should already be in %basedir%\work\requests): "
) ELSE (
SET requestfile=%1
)

if "%2"=="" (
SET /P outputfile="Enter output filename (with no extension): "
) ELSE (
SET outputfile=%2
)

REM change to the work directory
cd %basedir%\work

echo requestfile=%requestfile%
echo outputfile=%outputfile%
echo binpath=%binpath%

REM create the certificate
%basedir%bin\openssl ca -policy policy_anything -config openssl.conf -cert certs\ca.cer -in requests\%requestfile% -keyfile keys\ca.key -days 730 -out certs\%outputfile%.cer.TMP

REM convert it to an x509 format cert for IIS
%basedir%bin\openssl x509 -in certs\%outputfile%.cer.TMP -out certs\%outputfile%_x509.cer

echo If there were no error messages, the new certificate is located in:
echo %basedir%work\certs\%outputfile%_x509.cer

Signing a server certificate request

We'll use IIS as the server in this example.

  • First create the server certificate request in IIS
  • Place the request file in the "requests" directory
  • Run ca_create_server_cert.bat and follow the prompts
  • Take the output certificate (.cer) file and install it in IIS



5 comments:

  1. Thanks alot Man, you really helped me with this post.

    ReplyDelete
  2. One thanks a year hardly suffices.
    Still, better than nothing: Thank you from me as well :)

    ReplyDelete
  3. Absolutely perfect! Thank you! I've tried several walkthroughs and yours is by far the clearest to follow.

    ReplyDelete
  4. And again, thanks from me. Got this working a treat. Shame the Brocade switches don't like the self signed certs!

    ReplyDelete
  5. How to generate an RSA public/private key pair for the Certification Authority (CA).

    ReplyDelete