The Security Guide Security Guide RSS Feed


Manage your Risks Online

Self-Signed SSL Certificate using OpenSSL with IIS

When RuleWorks web applications such as RIDLog are installed with access on the public internet it is recommended to use these with SSL. Self-signed SSL certificates can be used in some cases. Instructions to install OpenSSL with IIS are shown below.

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library.

Install and configure the OpenSSL toolkit

  1. Get OpenSSL from OpenSSL tools for Windows from Shining Light Productions.
    This is a Windows port of the popular OpenSSL toolkit. , and run the installer, accepting the defaults.
    These instructions assume OpenSSL is installed in C:\OpenSSL.
  2. Add C:\OpenSSL\bin to your system path
    Control Panel -> System -> Advanced -> Environment Variables ->System Variables.
  3. Create a working directory. For example create c:\ssl
  4. Download this copy of openssl.conf to your working folder.
  5. Set up the directory structure and files required by OpenSSL:
    C:\ssl>md keys
    C:\ssl>md requests
    C:\ssl>md certs
  6. Create the file database.txt - an empty (zero-byte) text file.
    For example:-
    C:\ssl>copy con database.txt
    This should produce a zero-byte file called c:\ssl\database.txt
  7. Create the serial number file serial.txt. This is a plain ASCII file containing the string "01" on the first line, followed by a newline. For For example:-
    C:\ssl>copy con serial.txt
    Note: keystrokes zero, one, return, control-Z, return

Set up a Certificate Authority (CA)

  1. First, create a 1024-bit private key to use.:
    C:\ssl>openssl genrsa -des3 -out keys/ca.key 1024
    Loading 'screen' into random state - done
    warning, not much extra random data, consider using the -rand option
    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    Enter PEM pass phrase:  - choose a memorable pass phrase to use for this key
    Verifying password - Enter PEM pass phrase:  - type your pass phrase again for verification
    The pass phrase will be requested whenever you use this certificate for anything.
  2. This will create a file called c:\ssl\keys\ca.key, containing our certificate authority private key.
  3. Next, create a master certificate based on this key, to use when signing other certificates:
    C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer
    Using configuration from openssl.conf
    Enter PEM pass phrase:  - type your passphrase here.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) []:GB
    State or Province Name (full name) []:Hampshire
    Locality Name (eg, city) []:Southampton
    Organization Name (eg, company) []
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your websites domain name) []
    Email Address []
    This will create a CA certificate and store it as c:\ssl\certs\ca.cer
  4. Export the CA certificate in PKCS12 format - this will allow Windows users to import the PKCS12 certificate into their Trusted Root Store, so they don't get warning messages every time they use the certificates.

    Convert a certificate to DER form using the command:

    openssl x509 -in ca.pem -outform DER -out ca.der

Create an IIS Certificate Request

Open IIS website properties on the target server and start the SSL request process - follow the IIS steps as instructed.
You should end up with a file called certreq.txt.

Sign the Certificate Request

  1. Copy the certreq.txt file into c:\ssl\requests
  2. Sign the request
    C:\ssl>openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer 
           -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/iis.cer
    Using configuration from openssl.conf
    Loading 'screen' into random state - done
    Enter PEM pass phrase:
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    commonName            :PRINTABLE:'myCommonName'
    organizationName      :PRINTABLE:'myOrganisation'
    localityName          :PRINTABLE:'myLocality'
    stateOrProvinceName   :PRINTABLE:'myProvince'
    countryName           :PRINTABLE:'GB'
    Certificate is to be certified until Aug  7 01:12:12 2006 GMT (360 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    Command-line options:
    • -policy policy_anything - specifies that we're using the 'policy_anything' policy from our openssl.conf file.
    • This is a relaxed policy in which the name, country, etc. in the certificate don't need to match those used by the certification authority.
    • Use -policy policy_match for a more restrictive CA.
    • -config openssl.conf - specifies we're reading our configuration from openssl.conf in the current directory.
    • -cert certs/ca.cer - specifies we're using our CA master certificate to sign the request.
    • -in requests/certreq.txt - the certificate request we're signing.
    • -keyfile keys/ca.key - the private key for our CA master certificate, which proves we're allowed to use it.
    • -days 360 - the time until the certficate will expire
    • -out certs/iis.cer - the file in which to place our newly-signed certificate
  3. Convert the signed certificate into x509 format for use with IIS:
    C:\ssl>openssl x509 -in certs/iis.cer -out certs/iisx509.cer
    This will leave the new certificate in c:\ssl\certs\iisx509.cer - signed, sealed and ready to install

Install the new certificate under IIS

The iisx509.cer file is the certificate response file which should be copied to the target server.
Open IIS website properties on the target server and start the SSL installation process - follow the IIS steps as instructed.

© RuleWorks - All Rights Reserved - Policy - - Sitemap