These instructions assume Windows XP, and that you have some basic knowledge of the IIS web server.
First, install OpenSSL. You can download a Windows installer and binaries here.
Initial Setup
Create a working directory, we'll assume c:\openSSL\work. Then create the following folder structure:
Create a config file, openssl.conf in the work directory using this content:work/
keys/
requests/
certs/
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = .rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
certs = certs # Where the issued certs are kept
crl_dir = crl # Where the issued crl are kept
database = database.txt # database index file.
new_certs_dir = certs # default place for new certs.
certificate = cacert.pem # The CA certificate
serial = serial.txt # The current serial number
crl = crl.pem # The current CRL
private_key = private\cakey.pem # The private key
RANDFILE = private\private.rnd # private random number file
x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your website's domain name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ x509v3_extensions ]
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType
Create an empty database.txt file in the work directory.
Create a serial.txt file in the work directory that contains the following (the numbers 01 followed by RETURN):
01
Create Certificate Authority Stuff
- Create a 1024-bit private key for use in creating the CA (this will prompt you for a password; remember it, as you'll need it when you're signing certs!):
..\bin\openssl genrsa -des3 -out keys\ca.key 1024 - Create a master certificate based on this key (for use in signing other certs):
..\bin\openssl req -config openssl.conf -new -x509 -days 1001 -key keys\ca.key -out certs\ca.cer - Export the CA cert in a DER file for windows users to import into their Trusted Root Store:
..\bin\openssl x509 -in certs\ca.cer -outform DER -out certs\ca.der
At this point your CA should now be setup.
Create a batch file for handling certificate requests
Since you'll presumably be handling many certificate requests, here's a windows batch file to automate the process (we'll name it "ca_create_server_cert.bat"):
@echo off
REM This batch file is used to create server certificates from certificate request files.
REM USAGE: ca_create_server_cert.bat [inputfilename] [outputfile]
REM If either of the command line paramters are missing, you will be prompted for it.
SET basedir=c:\openssl\
if "%1"=="" (
SET /P requestfile="Enter certificate request filename (should already be in %basedir%\work\requests): "
) ELSE (
SET requestfile=%1
)
if "%2"=="" (
SET /P outputfile="Enter output filename (with no extension): "
) ELSE (
SET outputfile=%2
)
REM change to the work directory
cd %basedir%\work
echo requestfile=%requestfile%
echo outputfile=%outputfile%
echo binpath=%binpath%
REM create the certificate
%basedir%bin\openssl ca -policy policy_anything -config openssl.conf -cert certs\ca.cer -in requests\%requestfile% -keyfile keys\ca.key -days 730 -out certs\%outputfile%.cer.TMP
REM convert it to an x509 format cert for IIS
%basedir%bin\openssl x509 -in certs\%outputfile%.cer.TMP -out certs\%outputfile%_x509.cer
echo If there were no error messages, the new certificate is located in:
echo %basedir%work\certs\%outputfile%_x509.cer
Signing a server certificate request
We'll use IIS as the server in this example.
- First create the server certificate request in IIS
- Place the request file in the "requests" directory
- Run ca_create_server_cert.bat and follow the prompts
- Take the output certificate (.cer) file and install it in IIS
