Skip to main content

Generate self signed certificate with OpenSSL for IIS

Recently I wanted to enable SSL to a project hosted on IIS 8. Finally the tool I used was OpenSSL, after many days fighting with makecert commands.The certificate is generated in Debian, but I could import it seamlessly into IIS 7 and 8.

Download the OpenSSL compatible with your OS and setup the configuration file. Set the configuration file as default configuration of OpenSSL.



# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash


First we will generate the private key and certificate of Certification Authority (CA). This certificate is to sign the certificate request (CSR).


You must complete all fields that are required in this process.


  1. openssl req -new -x509 -days 3650 -extensions v3_ca -keyout root-cakey.pem -out root-cacert.pem -newkey rsa:4096


You can create a configuration file with default settings like this: Now we will generate the certificate request, which is the file that is sent to the Certification Authorities.


The Common Name must be set the domain of your site, for example: public.organization.com.


  1. openssl req -new -nodes -out server-csr.pem -keyout server-key.pem -newkey rsa:4096


Now the certificate request is signed with the generated CA certificate.


  1. openssl x509 -req -days 365 -CA root-cacert.pem -CAkey root-cakey.pem -CAcreateserial -in server-csr.pem -out server-cert.pem


The generated certificate must be exported to a .pfx file that can be imported into the IIS.


  1. openssl pkcs12 -export -out server-cert.pfx -inkey server-key.pem -in server-cert.pem -certfile root-cacert.pem -name "Self Signed Server Certificate"


In this step we will import the certificate CA.


In your server must import the CA certificate to the Trusted Root Certification Authorities, for IIS can trust the certificate to be imported. Remember that the certificate to be imported into the IIS, has been signed with the certificate of the CA.


  • Open Command Prompt and type mmc.
  • Click on File.
  • Select Add/Remove Snap in....
  • Double click on Certificates.
  • Select Computer Account and Next ->.
  • Select Local Computer and Finish.
  • Ok.
  • Go to Certificates -> Trusted Root Certification Authorities -> Certificates, rigth click on Certificates and select All Tasks -> Import ...


  • Select Next -> Browse ...
  • You must select All Files to browse the location of root-cacert.pem file.
  • Click on Next and select Place all certificates in the following storeTrusted Root Certification Authorities.
  • Click on Next and Finish.



With this step, the IIS trust on the authenticity of our certificate.


  1. In our last step we will import the certificate to IIS and add the binding site.

    • Open Internet Information Services (IIS) Manager or type inetmgr on command prompt and go to Server Certificates.
    • Click on Import....
    • Set the path of .pfx file, the passphrase and Select certificate store on Web Hosting.


  • Click on OK.

  • Now go to your site on IIS Manager and select Bindings... and Add a new binding.

  • Select https as the type of binding and you should be able to see the imported certificate.

  • Click on OK and all is done.





Labels:

Comments

Post a Comment

Popular posts from this blog

Configure SSL on MS SQL Server with OpenSSL

I configured successfully SSL on Microsoft SQL Server 2012 Express Edition for the purpose of encrypting external network connections to the database that are made through Internet. For performance reasons for internal clients on the network I do not want to force the use of SSL and leave to the clients the option of use it or not. I set   Force Encryption   to   No   with the following steps: Sql Server Configuration Manager Sql Server Network Configuration Protocols for (MYSQLSERVERNAME) Right click:  Properties Flags  tab. When I try to establish an encrypted connection with Microsoft Sql Server Management Studio checking  Encrypt connection  option on  Options  >  Connection Properties  I get the following error. A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.) (Microsoft SQL Server,...
Post a Comment
Read more

Gradle: Configuring assets folder of Android application

  In many projects I've worked I've come to appreciate the advantages that using a continuous integration tool like TeamCity. During the development of  last Android application, available on Google Play at OCL Lab Results , I saw the need to include or exclude certain files in the assets of the same.    I decided to go into the benefits offered by a build automation system like Gradle . Let me make one thing clear before starting the details, this article is not a tutorial on Gradle, so I hope you're familiar with it before reading, although I confess that it is not very difficult to understand its main components. All code shown below is designed with Gradle 2.1 and Android Studio.   First you need to ensure the existence of the folder of assets to be included in the apk. So we will create the next task to verify the existence of that folder: def assetsProjectFolderPath= '/src/main/assets'   task createAssetsFolder <<{ def folder = file...
Post a Comment
Read more