DNN Blogs

Written for the Community, by the Community

Create a Trusted Certificate for Internal Webservers

Written By Michael Tobisch
2024-11-25

Note: These instructions are not meant for public webservers! You should use this only for intranet websites which are not reachable from the Internet.

Prerequisites

Some explanations

In this document I use some expressions that you have to change depending on your needs. These are:

  • [City] - the name of your city, e.g. Innsbruck
  • [CompanyName] - the name of your company, e.g. dnnWerk.at
  • [CountryName] - the two letter ISO code for your country, e.g. AT for Austria.
  • [EmailAddress] - change this to your email address, e.g. [email protected]
  • [RootPath] - this is somewhere on your hard disk, e.g. C:\ or D:\Workspace
  • [SiteName] - this is the folder for the site you want to create the certificate for, e.g. dnnwerk.internal or www.dnnwerk.internal
  • [State] - your state or province, e.g. South Carolina, Tyrol etc.
  • [UnitName] - the name of your organizational unit, e.g. IT Department

Steps

Install OpenSSL

Copy the OpenSSL DLLs to The OpenSSL binaries (/bin) directory during installation:

Install OpenSSL

Create some directories and files

[RootPath]\Certificates
+-[RootPath]\Certificates\RootCA
+-[RootPath]\Certificates[SiteName]
  +-[RootPath]\Certificates[SiteName]\.rnd
  +-[RootPath]\Certificates[SiteName]\newcerts

Create two files in the [RootPath]\Certificates[SiteName] folder: index.txt and serial (without extension).

Edit the file serial with any text editor, enter "1000" (without the hyphens), save and close the file.

Edit serial file

Create batch files

In the [RootPath]\Certificates directory create the following files:

REM Filename: envvars.bat
REM Set some environment variables
SET SITE2SIGN=%1
SET ROOTCA=.\RootCA
SET ROOTCA_COMPANY_NAME=[CompanyName]-RootCA
SET FQDN=%1
SET RANDFILE=.\%SITE2SIGN%\.rnd
SET OPENSSL_CONF=.\%SITE2SIGN%.cnf
SET OpenSSL_HOME=C:\Program Files\OpenSSL-WIN64


REM Filename: RootCA.bat
if [%1]==[] GOTO CERT_ONLY
REM Create the private key for the Root CA
openssl req -newkey rsa:2048 -sha256 -keyout %ROOTCA%\%ROOTCA_COMPANY_NAME%.key
REM Create the certificate for the Root CA
:CERT_ONLY
openssl req -new -x509 -days 3650 -key %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -out %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt


REM Filename: ClientCert.bat
REM Create a key for the client
openssl req -newkey rsa:2048 -sha256 -keyout .\%SITE2SIGN%\%FQDN%.key
REM Create the certificate signing request
openssl req -new -key .\%SITE2SIGN%\%FQDN%.key -out .\%SITE2SIGN%\%FQDN%.csr
REM Sign the certificate for the client
openssl ca -days 365 -in .\%SITE2SIGN%\%FQDN%.csr -out .\%SITE2SIGN%\%FQDN%.crt -keyfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -cert %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -policy policy_anything
REM Export to Public-Key Cryptography Standards (PKCS)
openssl pkcs12 -export -in .\%SITE2SIGN%\%FQDN%.crt -inkey .\%SITE2SIGN%\%FQDN%.key -certfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -out .\%SITE2SIGN%\%FQDN%.p12

Configure OpenSSL

Copy the file C:\Program Files\Common Files\SSL\openssl.cnf to the [RootPath]\Certificates directory. Rename the file to [SiteName].cnf.

Open the copied file with a text editor and make the following changes:

  1. Search for [ CA_Default ]. Change the line
    dir = ./demoCA
    to
    dir = ./[SiteName]

  2. Uncomment (remove the #) the line (a few lines below):
    copy_extensions = copy

  3. Search for [ req ]. Enter a new line between the lines starting with distinguished_name and attributes:
    emailAddress = [EmailAddress]

  4. Uncomment the line (a few lines below) - leave the inline comment (second hashtag):
    req_extensions = v3_req # The extensions to add to a certificate request

  5. Search for [ req_distinguished_name ]. Change the default country name ("AU") if necessary:
    countryName_default = [CountryName]

  6. Change the line
    stateOrProvinceName_default = Some-State
    to your state
    stateOrProvinceName_default = [State]

  7. Add a line after the line
    localityName = Locality Name (eg, city)
    with a localityName_default setting with the value of the name of your city:
    localityName_default = [City]

  8. Change the line
    0.organizationName_default = Internet Widgits Pty Ltd
    to
    0.organizationName_default = [CompanyName]
    (Change [CompanyName] to your company name)

  9. (optional) Uncomment the line
    organizationalUnitName_default =
    and add a unit name:
    organizationalUnitName_default = [UnitName]

  10. Add a line after the line
    commonName = Common Name (e.g. server FQDN or YOUR name)
    with a commonName_default setting with the FQDN of your intranet webserver:
    commonName_default = [SiteName]

  11. Add a line after the line
    emailAddress = Email Address
    with an emailAddress_default setting with your email address
    emailAddress_default = [EmailAddress]

  12. Search for [ v3_req ]. Add two lines after the line
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    with extendedKeyUsage and subjectAltName settings:
    extendedKeyUsage = serverAuth
    subjectAltName = DNS:[SiteName]

  13. Search for [ v3_ca ]. Uncomment the two lines
    subjectAltName=email:copy
    issuerAltName=issuer:copy

  14. Search for [ tsa_config1 ]. Change the line
    dir = ./demoCA
    to
    dir = ./[SiteName]

Save the file and close the editor.

Create Root Certificate

Open the Win64 OpenSSL Command Prompt and execute these commands:

cd [RootPath]\Certificates
envvar.bat [SiteName]
RootCA.bat new

You will find two files:

  • [RootPath]\Certificates\RootCA[CompanyName]-RootCA.key
  • [RootPath]\Certificates\RootCA[CompanyName]-RootCA.crt

Copy the .key file to a really really safe place! This certifice is yalid for 10 years, but when you renew it you need the private key file, so don´t loose it!

To renew the certificate in 10 years, you have to make sure that the .key file is in the RootCA directory, then execute

RootCA.bat

Create the Client Certificate

Execute

ClientCert.bat

In your ClientCert directory you will find a file called index.txt.attr. Open it with any text editor and change the line

unique_subject = yes
to
unique_subject = no

Change index.txt.attr

This allows you to re-generate the client certificate in case anything went wrong.

Webserver

  1. If you have not done all of the above on your webserver, copy two files anywhere to it:

    • [RootPath]\Certificates\RootCA[CompanyName]-RootCA.key
    • [RootPath]\Certificates[SiteName][SiteName].p12
  2. Start MMC, go to File :: Add/Remove Snap-in…, add Certificate, and select Local computer.

  3. Right click Trusted Root Certification Authorities and go to All tasks :: Import…, select the .crt file and place it in Trusted Root Certification Authorities.
    Import RootCA

  4. Right click Web Hosting and go to All tasks :: Import…. When browsing, select Personal Information Exchange (*.pfx, *.p12) as the file type and select the .p12 file. Select "Web Hosting" as the certificate store.
    Import Client Certificate

  5. Open IIS Management Console and add a binding to your website:
    Bind certificate to website

Distibute Certificate

Import the Root CA Certificate to all clients who will browse to the site as described above. In a Domain this can be done using group policies, see Distribute Certificates to Client Computers by Using Group Policy for details.

Total: 1 Comment(s)
Nice write-up, thank you :-)
Wednesday, November 27, 2024 ·

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved