Skip to main content

Generate self signed certificate with OpenSSL for IIS

Recently I wanted to enable SSL to a project hosted on IIS 8. Finally the tool I used was OpenSSL, after many days fighting with makecert commands.The certificate is generated in Debian, but I could import it seamlessly into IIS 7 and 8.

Download the OpenSSL compatible with your OS and setup the configuration file. Set the configuration file as default configuration of OpenSSL.



# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash


First we will generate the private key and certificate of Certification Authority (CA). This certificate is to sign the certificate request (CSR).


You must complete all fields that are required in this process.


  1. openssl req -new -x509 -days 3650 -extensions v3_ca -keyout root-cakey.pem -out root-cacert.pem -newkey rsa:4096


You can create a configuration file with default settings like this: Now we will generate the certificate request, which is the file that is sent to the Certification Authorities.


The Common Name must be set the domain of your site, for example: public.organization.com.


  1. openssl req -new -nodes -out server-csr.pem -keyout server-key.pem -newkey rsa:4096


Now the certificate request is signed with the generated CA certificate.


  1. openssl x509 -req -days 365 -CA root-cacert.pem -CAkey root-cakey.pem -CAcreateserial -in server-csr.pem -out server-cert.pem


The generated certificate must be exported to a .pfx file that can be imported into the IIS.


  1. openssl pkcs12 -export -out server-cert.pfx -inkey server-key.pem -in server-cert.pem -certfile root-cacert.pem -name "Self Signed Server Certificate"


In this step we will import the certificate CA.


In your server must import the CA certificate to the Trusted Root Certification Authorities, for IIS can trust the certificate to be imported. Remember that the certificate to be imported into the IIS, has been signed with the certificate of the CA.


  • Open Command Prompt and type mmc.
  • Click on File.
  • Select Add/Remove Snap in....
  • Double click on Certificates.
  • Select Computer Account and Next ->.
  • Select Local Computer and Finish.
  • Ok.
  • Go to Certificates -> Trusted Root Certification Authorities -> Certificates, rigth click on Certificates and select All Tasks -> Import ...


  • Select Next -> Browse ...
  • You must select All Files to browse the location of root-cacert.pem file.
  • Click on Next and select Place all certificates in the following storeTrusted Root Certification Authorities.
  • Click on Next and Finish.



With this step, the IIS trust on the authenticity of our certificate.


  1. In our last step we will import the certificate to IIS and add the binding site.

    • Open Internet Information Services (IIS) Manager or type inetmgr on command prompt and go to Server Certificates.
    • Click on Import....
    • Set the path of .pfx file, the passphrase and Select certificate store on Web Hosting.


  • Click on OK.

  • Now go to your site on IIS Manager and select Bindings... and Add a new binding.

  • Select https as the type of binding and you should be able to see the imported certificate.

  • Click on OK and all is done.





Labels:

Comments

Post a Comment

Popular posts from this blog

Configure SSL on MS SQL Server with OpenSSL

I configured successfully SSL on Microsoft SQL Server 2012 Express Edition for the purpose of encrypting external network connections to the database that are made through Internet. For performance reasons for internal clients on the network I do not want to force the use of SSL and leave to the clients the option of use it or not. I set   Force Encryption   to   No   with the following steps: Sql Server Configuration Manager Sql Server Network Configuration Protocols for (MYSQLSERVERNAME) Right click:  Properties Flags  tab. When I try to establish an encrypted connection with Microsoft Sql Server Management Studio checking  Encrypt connection  option on  Options  >  Connection Properties  I get the following error. A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.) (Microsoft SQL Server, Error: -2146893022) What is striking is that if I select 
Post a Comment
Read more

Docker multi-stage build for Spring Boot application

  The post of this blog is to show the advantages of using multi-stage build on Docker for image size optimization. In case you've gotten here and never heard of the word "multi-stage", don't worry. Basically it is to build your image in different stages, and copy the artifacts from one stage to another, this allows you to keep the readability and maintenance of your Dockerfile, as well as reduce the size of the resulting image. For practice, let's use this Spring Boot learning project here , in which we use Maven to compile our project. Then let's not wait any longer, and let's get to work. Variant 1 This was the first variant that crossed my mind, basically it was, let me use a JDK base image to be able to compile the project, in this case openjdk:8, install Maven, compile the source code, and declare the entrypoint to the artifact binary .jar file. FROM openjdk:8 RUN apt-get update && apt-get install -y maven COPY . /usr/app WORKDIR
Post a Comment
Read more