In my last post , we had learned How To Generate CSR using OpenSSL
Now when we have created CSR , we will use this CSR (Certificate Signing Request) to create a Self Signed Certificate.
So Lets get Ready for
Generating Self Signed SSL Certificate using OpenSSL on Windows
For generating a Self Signed Certificate using OpenSSL on a windows machine we need following 3 things :- OpenSSL installed on the machine.
- A root CA (Certification Authority
- A Private Key
- A CSR file
We have already created a CSR in my last post but here we will create another CSR after we create the CA and Intermediate CA in OpenSSL
Creating Root CA in OpenSSL
For creating a Root CA in OpenSSL follow these steps from your OpenSSL console in Command Prompt.
1. Generate Root CA key through this command
genrsa -out lalitca.key 4096
This command will generate a 4096 bit strong RSA key for our Root CA
and will store it in key file with name lalitca.key.
Note : If you want to password protect this key , simply add the -des3 option in the above command. For the sake of simplicity I have just skipped this option.
2. Now based on this CA Key we will create our Root CA certificate. We will have to give our Root CA an identity like Country, State, Location, Organization, OU, CommonName etc. Put in all this information carefully.
req -new -x509 -days 3652 -key Lalitca.key -out Lalitca.crt
Note : We using -x509 switch to create self-signed certificate and -days 3652 switch insures that this RootCA certificate will be valid for 10 years.
Now we have the Root CA in place. We are all set to create a CSR which will be used to create a self Signed certificate signed by this Root CA.
Creating a CSR
Execute following 2 commands in same order to generate Private Key and CSR file.
genrsa -out test.key 4096
req -new -key test.key -out test.csr
Put in all required information again (Country, State, Location, Organization, Organization Unit, Common Name) Etc.
Note : Make sure you give a different Common Name (in this step) than Root CA. Otherwise you will run in to an error at later stage.
Now we have all 3 things in place (OpenSSL, RootCA and CSR). Its now time to generate our first Self-Signed certificate from OpenSSL.
Execute following command to create the certificate based on CSR and get it signed by RootCA we created in above steps.
x509 -req -days 1095 -in test.csr -CA lalitCA.crt -CAkey lalitca.key -set_serial 01 -out lalit.crt
This command will give you results like following :
Signature ok
subject=C = US, ST = Arizona, L = Tempe, O = Lalit, CN = web.lalitgolani.com
Getting CA Private Key
And that's it.
You have successfully created your RootCA and first Self-Signed certificate using OpenSSL on a windows Machine.
In my next post , I will show how to convert the .CRT file in to .P12 (PFX) file and install it on IIS.
No comments:
Post a Comment