Make a SSL Certificate

[Ultra Frosty]

Tools Required:

OpenSSL Binaries

Part 1. Install and configure the OpenSSL toolkit

1. Get OpenSSL from the address above, and run the installer, accepting the defaults. These instructions assume OpenSSL is installed in C:\OpenSSL.

2. Add "C:\OpenSSL\bin;" with quotes to your system path (Start > Advanced > Environment Variables > Path) - this isn't strictly necessary but it makes things a lot easier. Make sure you don't delete any entries!!!!!

3. Create a working directory - here, we'll use C:\ssl as our working folder.

4. Use this copy of openssl.conf to your working folder.

# Original source unknown.
# Modified 2004-07-20 by b0b

RANDFILE  = .rnd

####################################################################
[ ca ]
default_ca	= CA_default  # The default ca section

####################################################################
[ CA_default ]

certs  = certs 	 # Where the issued certs are kept
crl_dir  = crl 	 # Where the issued crl are kept
database	= database.txt  # database index file.
new_certs_dir	= certs 	 # default place for new certs.

certificate	= cacert.pem      # The CA certificate
serial  = serial.txt 	 # The current serial number
crl  = crl.pem 	 # The current CRL
private_key	= private\cakey.pem    # The private key
RANDFILE	= private\private.rnd  # private random number file

x509_extensions	= x509v3_extensions	# The extentions to add to the cert
default_days	= 365 	 # how long to certify for
default_crl_days= 30 	 # how long before next CRL
default_md	= md5 	 # which md to use.
preserve	= no 	 # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy  = policy_match

# For the CA policy
[ policy_match ]
countryName  = match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= match
commonName  = supplied
emailAddress  = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName  = optional
stateOrProvinceName	= optional
localityName  = optional
organizationName	= optional
organizationalUnitName	= optional
commonName  = supplied
emailAddress  = optional

####################################################################
[ req ]
default_bits  = 1024
default_keyfile  = privkey.pem
distinguished_name	= req_distinguished_name
attributes  = req_attributes

[ req_distinguished_name ]
countryName 	 = Country Name (2 letter code)
countryName_min 	 = 2
countryName_max 	 = 2
stateOrProvinceName  = State or Province Name (full name)
localityName 	 = Locality Name (eg, city)
0.organizationName  = Organization Name (eg, company)
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName 	 = Common Name (eg, your website's domain name)
commonName_max 	 = 64
emailAddress 	 = Email Address
emailAddress_max  = 40

[ req_attributes ]
challengePassword  = A challenge password
challengePassword_min  = 4
challengePassword_max  = 20

[ x509v3_extensions ]
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType 	 = 0x40
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType

5. Set up the directory structure and files required by OpenSSL:

C:\ssl>md keys

C:\ssl>md requests

C:\ssl>md certs

6. Create the file database.txt - an empty (zero-byte) text file. This can be done using the 'touch' command if you have it or by creating an empty file manually (^ is made using CTRL):

c:\ssl>copy con database.txt
^Z

C:\ssl>

7. MS-DOS veterans will recognise this particular invocation. We're copying from CON (the console) to a file called database.txt, and that's a Control-Z end-of-file character on the first line. This should produce a zero-byte file called c:\ssl\database.txt. Create the serial number file serial.txt. This is a plain ASCII file containing the string "01" on the first line, followed by a newline. Again, we can use a little bit of ancient DOS magic:

C:\ssl>copy con serial.txt
01
^Z

C:\ssl>

Part 2. Set up a Certificate Authority (CA)

1.First, we create a 1024-bit private key to use when creating our CA.:

C:\ssl>openssl genrsa -out keys/ca.key 1024

Loading 'screen' into random state - done
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...........++++++
..................++++++
e is 65537 (0x10001)

2.Next, we create a master certificate based on this key, to use when signing other certificates. Change the Distinguished Name data to what you want, along with the days (-days 1001. Up to 9999 days):

C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

Using configuration from openssl.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:Unknown
Locality Name (eg, city) []: Unknown
Organization Name (eg, company) []:Unknown
Organizational Unit Name (eg, section) []:Unknown
Common Name (eg, your websites domain name) []:www.neowin.net
Email Address []:admin@gmail.com

Your Keys are in the /certs/ directory.

Edited July 21, 2004 by b0b

[johngalt]

If you have multiple email addresses, would you be able to make multiple Certs specifying each address?

Great Document BTW - gonna try this here in a short while and get it working....

EDIT: I attached a PDF of the Guide for ya to get.

Neowin.net____Make_a_SSL_Certificate.pdf

Edited July 22, 2004 by johngalt

[dotRoot]

If you have multiple email addresses, would you be able to make multiple Certs specifying each address?

Great Document BTW - gonna try this here in a short while and get it working....

You can have only 1 SSL Cert per IP normally. Otherwise you can use a "shared" general SSL Cert on a shared IP. Also you can use only 1 email per cert and only 1 cert per IP as I understand it. So no.

[johngalt]

Figures. Thanks for the quick response.

I only wanted 2 - I have my online persona (like this one) and my real name - between the two of the buggers I have 18 email addresses, but that would be entirely too many certificates...

[Colin-uk Veteran]

interesting guide, thanks

im bookmarking :)

[The_Decryptor Veteran]

This works on Mac OSX with OpenSSL installed aswell, i just had to remove the spaces between the key, equals sign and value in openssl.conf, e.g.

emailAddress ?= optional

becomes

emailAddress=optional

Also, good guide, im bookmarking it to.

[futb0l]

Thanks for this :)

[hava333]

Does this work with IIS v6?

[dL]

Can someone tell me what is the purpose of doing this?

dL

[Steven]

Can someone tell me what is the purpose of doing this?

dL

Not have to pay Verisign. ;)

[b0se]

How did I miss this? Excellent guide (Y)

[Ultra Frosty]

Wow. Looks like people really understood this one. I tried to make it as easy as I could, looks like it worked really well.

If you have an idea for a guide, PM me.

[temple_treefrog]

Could this be used to create a Digital ID/Certificate for a POP Email address?

[Ultra Frosty]

Could this be used to create a Digital ID/Certificate for a POP Email address?

584843896[/snapback]

Yes, and Secure SMTP.

[temple_treefrog]

Yes, and Secure SMTP.

584847579[/snapback]

OMG r u serious? that's so cool. I'm gunna download it now. :D thanks

[temple_treefrog]

I followed the instructions above and these messages appeared on my screen. I've been to websites where it asks if I trust their website, I'm assuming that's similar to this scenario?

Is this normal or is it a problem? Did anyone else get this?

[Ultra Frosty]

kizzaaa, try this. See if this works:

openssl req -config openssl.cnf -new -out my-server.csr

This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key

This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.

You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:

openssl x509 -in my-server.cert -out my-server.der.crt -outform DER

[temple_treefrog]

Thanks, its working now. :)

[red8Rain]

b0b, where did you get the openssl.conf file from (originally)? Was it part of the openssl installation and you modified it?

Might give this guide a try in the next few months.

[jbristow]

I keep getting the following error when I begin step 2.

'openssl' is not recognized as an internal or external command, operable program or batch file.

Looks like others have been successful so I must have done something wrong. Can anyone help?

[1ke]

I keep getting the following error when I begin step 2.

Looks like others have been successful so I must have done something wrong. Can anyone help?

585251162[/snapback]

Heh, I got that too. Then I realized it was a problem with the idiot at the keyboard. When you follow the link at the top of this page, you get not the default OpenSSL, but the Win32 OpenSSL Installer, which by default installs the program into the

C:/Openssl/bin/

directory. Try launching it from there instead.

Actually, move the files you created in the first steps to that dir first, then launch it.

If you're still having probs, it's likely due to Windows' AutoDial proggy stealing the .conf/.cnf extension. I made my file in Notepad and saved it as openssl.conf, and even after I unregistered SpeedDial to the extension, the file was renamed openssl.conf.con, which of course won't work. So at the cmd line, just

ren openssl.conf.con openssl.conf

to fix it. NOW run the program.

(I relearned more in those five minutes than I forgot since DOS 6)

Hope this helps.

[1ke]

Oh, now that I've made a CA cert, does anyone know how to use that to certify/create an Acrobat-compatible Digital ID?

[war]

Nice guide.

Thanks,

Will

[Azadre]

OUt of curiosity, can I uninstall SSL after making the certificate?

[Azadre]

C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer gives me errors

Which was because it didn't see it as openssl.conf but openssl.conf.txt

I am getting the same things as kizzaaa and I don't have a server either. What should I do?

Edited January 14, 2005 by Azadre