Monday, March 18, 2013

company CA without a cert server

For those who administer a network, sometimes you need to create a root certificate.  This can be for an internal web-server, or for deploying internal software, or for other reasons.  In many places you have a server setup who's sole purpose it get generate SSL and maybe other certificates for the company.  If you don't wan't to dedicate an entire server to this task though because you don't need to be constantly generating new certificates there is an alternative.

OpenSSL is an open source program (hence the Open part), that allows you to generate SSL certificates, everything from a root certificate (for your company root CA), to a regular certificate that's signed by the root CA.

If you're on a linux machine do your usual apt-get install openssl or yum install openssl, and skip the next paragraph for windows.

If you're on windows, you'll need to go to:, and follow the links till you can download the openssl binary (full version) for window at (you may need to download and install the visual C++ redistrutable).  You'll also want to add c:\openssl-win32\bin to your system's path or have the DLL's installed to the c:\windows\system32 directory.

To create a root certificate go to the c:\openssl-win32\bin directory and type:
openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 -config openssl.cfg
-leave the e-mail address blank.
-the above root ca will be valid for 13 years.

make the following directories, demoCA, demoCA\newcerts, and demoCA\private
under c:\openssl-win32\bin?
so you should have c:\openssl-win32\bin\demoCA\newcerts as one of your paths

move the *-ca.crt file to demoCA
the *-ca.key file to demoCA\private
in the openssl.cnf file go to the CA_default section and make sure that private_key = $dir/private/my-ca.key
and change certificate = $dir/my-ca.crt
(change my-ca.key to whatever you typed in the openssl command above)

type echo 01 > \demoCA\serial
and in explorer navigate to the demoCA folder and create a new text file
and name it index.txt (don't put anything in it).

to create server certificates for wsus:
openssl req -nodes -new -keyout servername.key -out servername.csr -days 1825 -config openssl.cfg
for Common Name enter
leave email address blank, and hit enter for challenge password and optional company name.

then sign it using the ca (certifies for 5 yesrs)
openssl ca -out server.crt -in server.csr -days 1825 -config openssl.cfg

then export it to pfx format for iis:
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile my-ca.crt
type in a password for the pfx
ignore message about "unable to write 'random state'

No comments:

Post a Comment