Sunday, July 3, 2011

Complete guide to set up a CA using OpenSSL, generate CSR from IIS7.0, create SSL certificate and Install certificates into IIS 7.0.

Before we start please note that these certificates should only be used for development environment for testing. If you need certificate for production environment which is involved in critical transaction e.g. financial transactions, I suggest you to get the SSL certificates from a trusted Certificate Authorities e.g. Verisign, Thwate, to avoid security problems.

Step I : Setup CA using OpenSSL:-

First of all we need to set up the Certificate Authority (CA) to issue certificate. It is very easy to setup CA using OpenSSL. Just follow the steps mentioned below.

1. First download OpenSSL and install it.

2. Set up the directory structure and files required by OpenSSL.

3. Create a directory D:\OpenSSL\workspace and place the openssl.conf file in the workplace.

D:\OpenSSL\workspace>mkdir CSR
D:\OpenSSL\workspace>mkdir Certificates
D:\OpenSSL\workspace>mkdir Keys
D:\OpenSSL\workspace>copy con database.txt^Z
D:\OpenSSL\workspace>copy con serial.txt 01^Z

4. Generate a key for your Root CA. Execute the below OpenSSL command at workspace where you have openssl configuration file.

openssl genrsa -des3 -out  Keys/RootCA.key 2048

5. This will ask for passphrase for the key, please provide the passphrase and remember it. This will be used later.

6. The next step is to create a self-signed certificate for our CA, this certificate will be used to sign and issue other certificates.

openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt

7. You will be asked to provide the following information:-

Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) []:Sample Inc
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your websites domain name) []
Email Address []

8. Fill in this information and hit enter. Now you can see your CA’s certificate in the Certificates folder.

Now your CA is ready to sign the certificates.

Now we will see how to generate CSR in the IIS7.0 Web Server and use it to create SSL certificate which will be installed in the IIS 7.0 and we will enable the SSL on IIS 7.0 using this certificate.

Step II : How to generate CSR from IIS 7.0 :-

1. Go to start->run and type inetmgr and hit enter, it will open IIS Manager. Double click on “Server Certificates”, it will open the Server Certificates panel.

2. Click on “Create Certificate Request…” on the Actions panel in the right hand side.

3. Now you see the “Request Certificate” and fill in the information as show in the picture below and click Next.

4. Now select the Cryptographic service provider and bit length and click Next.

5. Now save the CSR file in the D:\OpenSSL\workspace\CSR and click finish.

Now you have your CSR file. It is readable file so you can open and see it if you want. It looks like this.


Step III : Create SSL certificate using our CA and generated CSR:-

Execute the below OpenSSL command. It will create a SSL certificate named SampleCert.crt.

D:\OpenSSL\workspace>openssl ca -policy policy_anything -config openssl.conf -cert Certificates/RootCA.crt -in CSR/CSR.txt -keyfile Keys/RootCA.key -days 360 -out Certificates/SampleCert.crt

Now we have created the SSL certificates for IIS 7.0 Web Server. Now we will see how to install it on the IIS 7.0 and how to enable SSL on IIS 7.0.

Step IV : Installing SSL certificates in IIS 7.0:-

1. Now again get back to the IIS Manager and Server Certificates.On Actions panel click on “Complete Certificate Request…”.

2.  Now provide the certificate which we just created and type in a friendly name for your certificate and click Ok.

3.  Now you can see you certificate listed in the Server Certificates.

Step V : How to enable SSL on IIS7.0:-

1. Now again to go to IIS manager and on Connections panel, navigate till your website e.g. Default Web Site in this case. Click on Binding on the Actions panel on right hand side.

2. You will see the Site Bindings Box as below. 

3. Click on the Add… button. And select https and then select your certificate from SSL certificates drop down box and click on the Ok.

Now you can access your site with SSL enabled e.g. https://localhost/.

I hope this is useful. Please provide your comments and suggestions to improve my posts.


  1. great guide mate, this as to be the most easiest way to get ssl certificate on a website. We are using this method for are internal mail system at work it worked first time and we have never had any issue with it. I always use openSSL now.

    1. Thanks for your comment. Good to know it helped you.

  2. I followed the steps as described above, but I get ERROR (Exception from HRESULT:0x800B0109). any advise ?

  3. after installing certificate i am getting Your connection is not private in google chorme

  4. In Step 3 "D:\OpenSSL\workspace and place the openssl.conf file in the workplace.|", after placing the openssl.conf file in the workspace folder, don't we need to change the path for that...
    because when we install Openssl, default path for the configuration file
    Also the file extn is .cfg and not .conf
    pl. let me know how to set the path