Written By Michael Tobisch
2024-11-25
Note: These instructions are not meant for public webservers! You should use this only for intranet websites which are not reachable from the Internet.
Prerequisites
Some explanations
In this document I use some expressions that you have to change depending on your needs. These are:
- [City] - the name of your city, e.g. Innsbruck
- [CompanyName] - the name of your company, e.g. dnnWerk.at
- [CountryName] - the two letter ISO code for your country, e.g. AT for Austria.
- [EmailAddress] - change this to your email address, e.g. [email protected]
- [RootPath] - this is somewhere on your hard disk, e.g.
C:\
or D:\Workspace
- [SiteName] - this is the folder for the site you want to create the certificate for, e.g. dnnwerk.internal or www.dnnwerk.internal
- [State] - your state or province, e.g. South Carolina, Tyrol etc.
- [UnitName] - the name of your organizational unit, e.g. IT Department
Steps
Install OpenSSL
Copy the OpenSSL DLLs to The OpenSSL binaries (/bin) directory during installation:
Create some directories and files
[RootPath]\Certificates
+-[RootPath]\Certificates\RootCA
+-[RootPath]\Certificates[SiteName]
+-[RootPath]\Certificates[SiteName]\.rnd
+-[RootPath]\Certificates[SiteName]\newcerts
Create two files in the [RootPath]\Certificates[SiteName]
folder: index.txt
and serial
(without extension).
Edit the file serial
with any text editor, enter "1000" (without the hyphens), save and close the file.
Create batch files
In the [RootPath]\Certificates
directory create the following files:
REM Filename: envvars.bat
REM Set some environment variables
SET SITE2SIGN=%1
SET ROOTCA=.\RootCA
SET ROOTCA_COMPANY_NAME=[CompanyName]-RootCA
SET FQDN=%1
SET RANDFILE=.\%SITE2SIGN%\.rnd
SET OPENSSL_CONF=.\%SITE2SIGN%.cnf
SET OpenSSL_HOME=C:\Program Files\OpenSSL-WIN64
REM Filename: RootCA.bat
if [%1]==[] GOTO CERT_ONLY
REM Create the private key for the Root CA
openssl req -newkey rsa:2048 -sha256 -keyout %ROOTCA%\%ROOTCA_COMPANY_NAME%.key
REM Create the certificate for the Root CA
:CERT_ONLY
openssl req -new -x509 -days 3650 -key %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -out %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt
REM Filename: ClientCert.bat
REM Create a key for the client
openssl req -newkey rsa:2048 -sha256 -keyout .\%SITE2SIGN%\%FQDN%.key
REM Create the certificate signing request
openssl req -new -key .\%SITE2SIGN%\%FQDN%.key -out .\%SITE2SIGN%\%FQDN%.csr
REM Sign the certificate for the client
openssl ca -days 365 -in .\%SITE2SIGN%\%FQDN%.csr -out .\%SITE2SIGN%\%FQDN%.crt -keyfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -cert %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -policy policy_anything
REM Export to Public-Key Cryptography Standards (PKCS)
openssl pkcs12 -export -in .\%SITE2SIGN%\%FQDN%.crt -inkey .\%SITE2SIGN%\%FQDN%.key -certfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -out .\%SITE2SIGN%\%FQDN%.p12
Configure OpenSSL
Copy the file C:\Program Files\Common Files\SSL\openssl.cnf
to the [RootPath]\Certificates
directory. Rename the file to [SiteName].cnf
.
Open the copied file with a text editor and make the following changes:
-
Search for [ CA_Default ]
. Change the line
dir = ./demoCA
to
dir = ./[SiteName]
-
Uncomment (remove the #
) the line (a few lines below):
copy_extensions = copy
-
Search for [ req ]
. Enter a new line between the lines starting with distinguished_name
and attributes
:
emailAddress = [EmailAddress]
-
Uncomment the line (a few lines below) - leave the inline comment (second hashtag):
req_extensions = v3_req # The extensions to add to a certificate request
-
Search for [ req_distinguished_name ]
. Change the default country name ("AU") if necessary:
countryName_default = [CountryName]
-
Change the line
stateOrProvinceName_default = Some-State
to your state
stateOrProvinceName_default = [State]
-
Add a line after the line
localityName = Locality Name (eg, city)
with a localityName_default setting with the value of the name of your city:
localityName_default = [City]
-
Change the line
0.organizationName_default = Internet Widgits Pty Ltd
to
0.organizationName_default = [CompanyName]
(Change [CompanyName] to your company name)
-
(optional) Uncomment the line
organizationalUnitName_default =
and add a unit name:
organizationalUnitName_default = [UnitName]
-
Add a line after the line
commonName = Common Name (e.g. server FQDN or YOUR name)
with a commonName_default setting with the FQDN of your intranet webserver:
commonName_default = [SiteName]
-
Add a line after the line
emailAddress = Email Address
with an emailAddress_default setting with your email address
emailAddress_default = [EmailAddress]
-
Search for [ v3_req ]
. Add two lines after the line
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
with extendedKeyUsage and subjectAltName settings:
extendedKeyUsage = serverAuth
subjectAltName = DNS:[SiteName]
-
Search for [ v3_ca ]
. Uncomment the two lines
subjectAltName=email:copy
issuerAltName=issuer:copy
-
Search for [ tsa_config1 ]
. Change the line
dir = ./demoCA
to
dir = ./[SiteName]
Save the file and close the editor.
Create Root Certificate
Open the Win64 OpenSSL Command Prompt
and execute these commands:
cd [RootPath]\Certificates
envvar.bat [SiteName]
RootCA.bat new
You will find two files:
- [RootPath]\Certificates\RootCA[CompanyName]-RootCA.key
- [RootPath]\Certificates\RootCA[CompanyName]-RootCA.crt
Copy the .key
file to a really really safe place! This certifice is yalid for 10 years, but when you renew it you need the private key file, so don´t loose it!
To renew the certificate in 10 years, you have to make sure that the .key
file is in the RootCA directory, then execute
RootCA.bat
Create the Client Certificate
Execute
ClientCert.bat
In your ClientCert directory you will find a file called index.txt.attr
. Open it with any text editor and change the line
unique_subject = yes
to
unique_subject = no
This allows you to re-generate the client certificate in case anything went wrong.
Webserver
-
If you have not done all of the above on your webserver, copy two files anywhere to it:
- [RootPath]\Certificates\RootCA[CompanyName]-RootCA.key
- [RootPath]\Certificates[SiteName][SiteName].p12
-
Start MMC, go to File :: Add/Remove Snap-in…, add Certificate, and select Local computer.
-
Right click Trusted Root Certification Authorities and go to All tasks :: Import…, select the .crt file and place it in Trusted Root Certification Authorities.
-
Right click Web Hosting and go to All tasks :: Import…. When browsing, select Personal Information Exchange (*.pfx, *.p12) as the file type and select the .p12
file. Select "Web Hosting" as the certificate store.
-
Open IIS Management Console and add a binding to your website:
Distibute Certificate
Import the Root CA Certificate to all clients who will browse to the site as described above. In a Domain this can be done using group policies, see Distribute Certificates to Client Computers by Using Group Policy for details.