Ultra Frosty Posted July 21, 2004 Share Posted July 21, 2004 (edited) Tools Required: OpenSSL Binaries Part 1. Install and configure the OpenSSL toolkit 1. Get OpenSSL from the address above, and run the installer, accepting the defaults. These instructions assume OpenSSL is installed in C:\OpenSSL. 2. Add "C:\OpenSSL\bin;" with quotes to your system path (Start > Advanced > Environment Variables > Path) - this isn't strictly necessary but it makes things a lot easier. Make sure you don't delete any entries!!!!! 3. Create a working directory - here, we'll use C:\ssl as our working folder. 4. Use this copy of openssl.conf to your working folder. # Original source unknown. # Modified 2004-07-20 by b0b RANDFILE = .rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] certs = certs # Where the issued certs are kept crl_dir = crl # Where the issued crl are kept database = database.txt # database index file. new_certs_dir = certs # default place for new certs. certificate = cacert.pem # The CA certificate serial = serial.txt # The current serial number crl = crl.pem # The current CRL private_key = private\cakey.pem # The private key RANDFILE = private\private.rnd # private random number file x509_extensions = x509v3_extensions # The extentions to add to the cert default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your website's domain name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 [ x509v3_extensions ] # under ASN.1, the 0 bit would be encoded as 80 # nsCertType = 0x40 #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName #nsCertSequence #nsCertExt #nsDataType 5. Set up the directory structure and files required by OpenSSL: C:\ssl>md keys C:\ssl>md requests C:\ssl>md certs 6. Create the file database.txt - an empty (zero-byte) text file. This can be done using the 'touch' command if you have it or by creating an empty file manually (^ is made using CTRL): c:\ssl>copy con database.txt ^Z C:\ssl> 7. MS-DOS veterans will recognise this particular invocation. We're copying from CON (the console) to a file called database.txt, and that's a Control-Z end-of-file character on the first line. This should produce a zero-byte file called c:\ssl\database.txt. Create the serial number file serial.txt. This is a plain ASCII file containing the string "01" on the first line, followed by a newline. Again, we can use a little bit of ancient DOS magic: C:\ssl>copy con serial.txt 01 ^Z C:\ssl> Part 2. Set up a Certificate Authority (CA) 1.First, we create a 1024-bit private key to use when creating our CA.: C:\ssl>openssl genrsa -out keys/ca.key 1024 Loading 'screen' into random state - done warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ...........++++++ ..................++++++ e is 65537 (0x10001) 2.Next, we create a master certificate based on this key, to use when signing other certificates. Change the Distinguished Name data to what you want, along with the days (-days 1001. Up to 9999 days): C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer Using configuration from openssl.conf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:US State or Province Name (full name) []:Unknown Locality Name (eg, city) []: Unknown Organization Name (eg, company) []:Unknown Organizational Unit Name (eg, section) []:Unknown Common Name (eg, your websites domain name) []:www.neowin.net Email Address []:admin@gmail.com Your Keys are in the /certs/ directory. Edited July 21, 2004 by b0b Link to comment Share on other sites More sharing options...
johngalt Posted July 22, 2004 Share Posted July 22, 2004 (edited) If you have multiple email addresses, would you be able to make multiple Certs specifying each address? Great Document BTW - gonna try this here in a short while and get it working.... EDIT: I attached a PDF of the Guide for ya to get. Neowin.net____Make_a_SSL_Certificate.pdf Edited July 22, 2004 by johngalt Link to comment Share on other sites More sharing options...
dotRoot Posted July 22, 2004 Share Posted July 22, 2004 If you have multiple email addresses, would you be able to make multiple Certs specifying each address?Great Document BTW - gonna try this here in a short while and get it working.... You can have only 1 SSL Cert per IP normally. Otherwise you can use a "shared" general SSL Cert on a shared IP. Also you can use only 1 email per cert and only 1 cert per IP as I understand it. So no. Link to comment Share on other sites More sharing options...
johngalt Posted July 22, 2004 Share Posted July 22, 2004 Figures. Thanks for the quick response. I only wanted 2 - I have my online persona (like this one) and my real name - between the two of the buggers I have 18 email addresses, but that would be entirely too many certificates... Link to comment Share on other sites More sharing options...
Colin-uk Veteran Posted July 22, 2004 Veteran Share Posted July 22, 2004 interesting guide, thanks im bookmarking :) Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted July 22, 2004 Veteran Share Posted July 22, 2004 This works on Mac OSX with OpenSSL installed aswell, i just had to remove the spaces between the key, equals sign and value in openssl.conf, e.g. emailAddress ?= optional becomes emailAddress=optional Also, good guide, im bookmarking it to. Link to comment Share on other sites More sharing options...
futb0l Posted July 23, 2004 Share Posted July 23, 2004 Thanks for this :) Link to comment Share on other sites More sharing options...
hava333 Posted August 3, 2004 Share Posted August 3, 2004 Does this work with IIS v6? Link to comment Share on other sites More sharing options...
dL Posted August 4, 2004 Share Posted August 4, 2004 Can someone tell me what is the purpose of doing this? dL Link to comment Share on other sites More sharing options...
Steven Posted August 4, 2004 Share Posted August 4, 2004 Can someone tell me what is the purpose of doing this?dL Not have to pay Verisign. ;) Link to comment Share on other sites More sharing options...
b0se Posted October 29, 2004 Share Posted October 29, 2004 How did I miss this? Excellent guide (Y) Link to comment Share on other sites More sharing options...
Ultra Frosty Posted October 31, 2004 Author Share Posted October 31, 2004 Wow. Looks like people really understood this one. I tried to make it as easy as I could, looks like it worked really well. If you have an idea for a guide, PM me. Link to comment Share on other sites More sharing options...
temple_treefrog Posted November 1, 2004 Share Posted November 1, 2004 Could this be used to create a Digital ID/Certificate for a POP Email address? Link to comment Share on other sites More sharing options...
Ultra Frosty Posted November 2, 2004 Author Share Posted November 2, 2004 Could this be used to create a Digital ID/Certificate for a POP Email address? 584843896[/snapback] Yes, and Secure SMTP. Link to comment Share on other sites More sharing options...
temple_treefrog Posted November 2, 2004 Share Posted November 2, 2004 Yes, and Secure SMTP. 584847579[/snapback] OMG r u serious? that's so cool. I'm gunna download it now. :D thanks Link to comment Share on other sites More sharing options...
temple_treefrog Posted November 2, 2004 Share Posted November 2, 2004 I followed the instructions above and these messages appeared on my screen. I've been to websites where it asks if I trust their website, I'm assuming that's similar to this scenario? Is this normal or is it a problem? Did anyone else get this? Link to comment Share on other sites More sharing options...
Ultra Frosty Posted November 2, 2004 Author Share Posted November 2, 2004 kizzaaa, try this. See if this works: openssl req -config openssl.cnf -new -out my-server.csr This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match. openssl rsa -in privkey.pem -out my-server.key This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key. openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365 This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this. If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate: openssl x509 -in my-server.cert -out my-server.der.crt -outform DER Link to comment Share on other sites More sharing options...
temple_treefrog Posted November 4, 2004 Share Posted November 4, 2004 Thanks, its working now. :) Link to comment Share on other sites More sharing options...
red8Rain Posted November 11, 2004 Share Posted November 11, 2004 b0b, where did you get the openssl.conf file from (originally)? Was it part of the openssl installation and you modified it? Might give this guide a try in the next few months. Link to comment Share on other sites More sharing options...
jbristow Posted January 7, 2005 Share Posted January 7, 2005 I keep getting the following error when I begin step 2. 'openssl' is not recognized as an internal or external command, operable program or batch file. Looks like others have been successful so I must have done something wrong. Can anyone help? Link to comment Share on other sites More sharing options...
1ke Posted January 9, 2005 Share Posted January 9, 2005 I keep getting the following error when I begin step 2.Looks like others have been successful so I must have done something wrong. Can anyone help? 585251162[/snapback] Heh, I got that too. Then I realized it was a problem with the idiot at the keyboard. When you follow the link at the top of this page, you get not the default OpenSSL, but the Win32 OpenSSL Installer, which by default installs the program into the C:/Openssl/bin/ directory. Try launching it from there instead. Actually, move the files you created in the first steps to that dir first, then launch it. If you're still having probs, it's likely due to Windows' AutoDial proggy stealing the .conf/.cnf extension. I made my file in Notepad and saved it as openssl.conf, and even after I unregistered SpeedDial to the extension, the file was renamed openssl.conf.con, which of course won't work. So at the cmd line, just ren openssl.conf.con openssl.conf to fix it. NOW run the program. (I relearned more in those five minutes than I forgot since DOS 6) Hope this helps. Link to comment Share on other sites More sharing options...
1ke Posted January 9, 2005 Share Posted January 9, 2005 Oh, now that I've made a CA cert, does anyone know how to use that to certify/create an Acrobat-compatible Digital ID? Link to comment Share on other sites More sharing options...
war Posted January 9, 2005 Share Posted January 9, 2005 Nice guide. Thanks, Will Link to comment Share on other sites More sharing options...
Azadre Posted January 14, 2005 Share Posted January 14, 2005 OUt of curiosity, can I uninstall SSL after making the certificate? Link to comment Share on other sites More sharing options...
Azadre Posted January 14, 2005 Share Posted January 14, 2005 (edited) C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer gives me errors Which was because it didn't see it as openssl.conf but openssl.conf.txt I am getting the same things as kizzaaa and I don't have a server either. What should I do? Edited January 14, 2005 by Azadre Link to comment Share on other sites More sharing options...
Recommended Posts