Every felt like you need a secure page
on your server, but didn't want to pay for it? Use openssl to create your
own certificates.
Windows Internet Information Services and ssl.
Because this server is used for internal use only, a commercial ssl certificate
was not obtained. A certificate authority (CA) was set up to create and
sign internal server certificates.
Creating an ssl certificate for IIS5.
· Download OpenSSL, preferably a pre-compiled binary format.
http://www.openssl.org/related/binaries.html
or
http://www.devhood.com/Tools/tool_details.aspx?tool_id=277
use this openssl.cnf file
and save it into the openssl directory. (make sure you call it openssl.cnf,
because windows will change its extension and hide it from you)
CD to the openssl directory.
Create a directories called “private”, “certs”
and “newcerts”.
Firstly create a root CA by executing the following:
openssl genrsa –des3 –out private\root.key
openssl req -config openssl.cnf –new –key private\root.key -out newcerts\root.csr
openssl x509 –req –days 1826 –extfile openssl.cnf –extensions root_ext
–in newcerts\root.csr –signkey private\root.key –out certs\root.crt
With this root CA created it is now possible to sign “child”
CA’s.
Now create the CA that will be used to sign the server’s Certificate
Request.
openssl req -config openssl.cnf –new –out newcerts\ca.csr –keyout private\ca.key
openssl ca -config openssl.cnf –name cacert –in newcerts\ca.csr –out certs\ca.crt
Then encode the new certificate into a format that Win 2000 can understand.
openssl x509 –in certs\root.crt –out C:\Inetpub\wwwroot -outform PEM
openssl x509 –in certs\ca.crt –out C:\Inetpub\wwwroot -outform PEM
Root.crt and ca.crt can be copied to the server for and installed (double
click on them).
From the server, right click the Default Server and select properties.
Select the “Directory Security” tab
The click Server Certificate.
Create a new request by answering all of the questions.
A file called “c:\certreq.txt” will now exist.
Copy certreq.txt into the “newcerts” directory and rename
it to server.csr. Then execute the following:
openssl ca -config openssl.cnf –name server –in newcerts\server.csr –out certs\server.crt
This will sign the server generate request, with the previously generated
CA.
Then encode the new certificate into a format that Win 2000 can understand.
openssl x509 –in certs\server.crt –out certs\server.pem –outform PEM
Copy server.pem into C:\. Then go back to the Security Tab on the web
directory. And click Server Certificate. Use the wizard to finish the
request using the server.pem file.
Server is ready to accept ssl connections. Users will be prompted with
a security alert on access to the site. It is because the client does
not know the CA that signed the server CA.
If you install the ca.crt and double click the file, it will trust your
cert and stop bugging you.
David Treacy
Vector Communications.
dave@vectorcomms.com
|