Create a self signed Windows 2000 web server.

Create an SSL server for Windows 2000.

Every felt like you need a secure page on your server, but didn't want to pay for it? Use openssl to create your own certificates.

Windows Internet Information Services and ssl.

Because this server is used for internal use only, a commercial ssl certificate was not obtained. A certificate authority (CA) was set up to create and sign internal server certificates.

Creating an ssl certificate for IIS5.

· Download OpenSSL, preferably a pre-compiled binary format.
http://www.openssl.org/related/binaries.html
or
http://www.devhood.com/Tools/tool_details.aspx?tool_id=277
use this openssl.cnf file and save it into the openssl directory. (make sure you call it openssl.cnf, because windows will change its extension and hide it from you)

CD to the openssl directory.

Create a directories called “private”, “certs” and “newcerts”.

Firstly create a root CA by executing the following:

  openssl genrsa –des3 –out private\root.key

  openssl req -config openssl.cnf –new –key private\root.key -out newcerts\root.csr
  openssl x509 –req –days 1826 –extfile openssl.cnf –extensions root_ext 
          –in newcerts\root.csr –signkey private\root.key –out certs\root.crt

With this root CA created it is now possible to sign “child” CA’s.

Now create the CA that will be used to sign the server’s Certificate Request.

  openssl req -config openssl.cnf –new –out newcerts\ca.csr –keyout private\ca.key
  openssl ca -config openssl.cnf –name cacert –in newcerts\ca.csr –out certs\ca.crt

Then encode the new certificate into a format that Win 2000 can understand.

  openssl x509 –in certs\root.crt –out C:\Inetpub\wwwroot -outform PEM
  openssl x509 –in certs\ca.crt –out C:\Inetpub\wwwroot -outform PEM

Root.crt and ca.crt can be copied to the server for and installed (double click on them).

From the server, right click the Default Server and select properties.
Select the “Directory Security” tab
The click Server Certificate.
Create a new request by answering all of the questions.
A file called “c:\certreq.txt” will now exist.
Copy certreq.txt into the “newcerts” directory and rename it to server.csr. Then execute the following:

  openssl ca -config openssl.cnf –name server –in newcerts\server.csr –out certs\server.crt

This will sign the server generate request, with the previously generated CA.
Then encode the new certificate into a format that Win 2000 can understand.

  openssl x509 –in certs\server.crt –out certs\server.pem –outform PEM

Copy server.pem into C:\. Then go back to the Security Tab on the web directory. And click Server Certificate. Use the wizard to finish the request using the server.pem file.
Server is ready to accept ssl connections. Users will be prompted with a security alert on access to the site. It is because the client does not know the CA that signed the server CA.

If you install the ca.crt and double click the file, it will trust your cert and stop bugging you.

David Treacy
Vector Communications.
dave@vectorcomms.com

Free ssl

For internal or private servers, there's no need to pay for a certificate! Just make your own!