OpenSSL is an open source program (hence the Open part), that allows you to generate SSL certificates, everything from a root certificate (for your company root CA), to a regular certificate that's signed by the root CA.
If you're on a linux machine do your usual apt-get install openssl or yum install openssl, and skip the next paragraph for windows.
If you're on windows, you'll need to go to: http://www.openssl.org/related/binaries.html, and follow the links till you can download the openssl binary (full version) for window at http://slproweb.com/products/Win32OpenSSL.html (you may need to download and install the visual C++ redistrutable). You'll also want to add c:\openssl-win32\bin to your system's path or have the DLL's installed to the c:\windows\system32 directory.
To create a root certificate go to the c:\openssl-win32\bin directory and type:
openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 -config openssl.cfg
-leave the e-mail address blank.
-the above root ca will be valid for 13 years.
make the following directories, demoCA, demoCA\newcerts, and demoCA\private
so you should have c:\openssl-win32\bin\demoCA\newcerts as one of your paths
move the *-ca.crt file to demoCA
the *-ca.key file to demoCA\private
in the openssl.cnf file go to the CA_default section and make sure that private_key = $dir/private/my-ca.key
and change certificate = $dir/my-ca.crt
(change my-ca.key to whatever you typed in the openssl command above)
type echo 01 > \demoCA\serial
and in explorer navigate to the demoCA folder and create a new text file
and name it index.txt (don't put anything in it).
to create server certificates for wsus:
openssl req -nodes -new -keyout servername.key -out servername.csr -days 1825 -config openssl.cfg
for Common Name enter servername.company.com
leave email address blank, and hit enter for challenge password and optional company name.
then sign it using the ca (certifies for 5 yesrs)
openssl ca -out server.crt -in server.csr -days 1825 -config openssl.cfg
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile my-ca.crt
type in a password for the pfx
ignore message about "unable to write 'random state'