Sunday, July 3, 2011

Complete guide to set up a CA using OpenSSL, generate CSR from IIS7.0, create SSL certificate and Install certificates into IIS 7.0.

Before we start please note that these certificates should only be used for development environment for testing. If you need certificate for production environment which is involved in critical transaction e.g. financial transactions, I suggest you to get the SSL certificates from a trusted Certificate Authorities e.g. Verisign, Thwate, to avoid security problems.


Step I : Setup CA using OpenSSL:-


First of all we need to set up the Certificate Authority (CA) to issue certificate. It is very easy to setup CA using OpenSSL. Just follow the steps mentioned below.


1. First download OpenSSL and install it.


2. Set up the directory structure and files required by OpenSSL.


3. Create a directory D:\OpenSSL\workspace and place the openssl.conf file in the workplace.


D:\OpenSSL\workspace>
D:\OpenSSL\workspace>mkdir CSR
D:\OpenSSL\workspace>mkdir Certificates
D:\OpenSSL\workspace>mkdir Keys
D:\OpenSSL\workspace>copy con database.txt^Z
D:\OpenSSL\workspace>copy con serial.txt 01^Z


4. Generate a key for your Root CA. Execute the below OpenSSL command at workspace where you have openssl configuration file.


openssl genrsa -des3 -out  Keys/RootCA.key 2048


5. This will ask for passphrase for the key, please provide the passphrase and remember it. This will be used later.


6. The next step is to create a self-signed certificate for our CA, this certificate will be used to sign and issue other certificates.


openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt


7. You will be asked to provide the following information:-

Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) []:Sample Inc
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your websites domain name) []:Sample.com
Email Address []:sample@sample.com


8. Fill in this information and hit enter. Now you can see your CA’s certificate in the Certificates folder.


Now your CA is ready to sign the certificates.

Now we will see how to generate CSR in the IIS7.0 Web Server and use it to create SSL certificate which will be installed in the IIS 7.0 and we will enable the SSL on IIS 7.0 using this certificate.


Step II : How to generate CSR from IIS 7.0 :-


1. Go to start->run and type inetmgr and hit enter, it will open IIS Manager. Double click on “Server Certificates”, it will open the Server Certificates panel.

2. Click on “Create Certificate Request…” on the Actions panel in the right hand side.



3. Now you see the “Request Certificate” and fill in the information as show in the picture below and click Next.


4. Now select the Cryptographic service provider and bit length and click Next.



5. Now save the CSR file in the D:\OpenSSL\workspace\CSR and click finish.





Now you have your CSR file. It is readable file so you can open and see it if you want. It looks like this.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEYTCCA0kCAQAwdDELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCUthcm5hdGFrYTES
MBAGA1UEBwwJQmFuZ2Fsb3JlMRMwEQYDVQQKDApTYW1wbGUgSW5jMQwwCgYDVQQL
DANXZWIxGjAYBgNVBAMMEVNhbXBsZUNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAkatvSR7sL+1eVIVtwM95Nk4rG570kG5Zc0CVW2Mn
nqoZpccvMoTNlpVTGfoMniZzoLd8w3Uabq5JMfn+jSD4swum9kof59VdodPQO5dy
mmtOvbm+8p1Uc3jZDjDeygZ4Dr9E6rOgXCLh9ObuQzPmg9vxexVI5OZE+o+jIjTU
as/e6utRAGEHEtEaVkpID2zGVtoCiPnfDD1KPPl/JsQec2K+w62CM84rBgkewYtL
ke1SAq+ZRKkEfYmHo2d3uBV7csmqeX6L8jXEZp8qa8DHFIQjpsZDV1oNP5HgOX+o
7XHYSbZMtvptnw2qCqpkQzj21yQN5EpNdrXqMqfL7of3oQIDAQABoIIBpjAaBgor
BgEEAYI3DQIDMQwWCjYuMS43NjAwLjIwQgYJKwYBBAGCNxUUMTUwMwIBBQwLTWFu
bW9oYW4tUEMMFE1hbm1vaGFuLVBDXE1hbm1vaGFuDAtJbmV0TWdyLmV4ZTByBgor
BgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABT
AEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUABy
AG8AdgBpAGQAZQByAwEAMIHPBgkqhkiG9w0BCQ4xgcEwgb4wDgYDVR0PAQH/BAQD
AgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZI
hvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUD
BAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcN
AwcwHQYDVR0OBBYEFIXgkK2n7HWtMeqA26IHESmWIFQDMA0GCSqGSIb3DQEBBQUA
A4IBAQBaZFyVqlEkscyvrlQ71sEignkKIsK/TwpDWKYF+ptNkOs21fMO9Q8N9OXP
6akh9IYBvLFxtGUuebeX4/sVCrk/mWK1mym1SqgvG6YEv68c7YiFQDViXSN+OTeT
S9/IqoOA8QwFZF/BPMUwNMJ8tmduUY+48H4cbZJEdtOtarn5HubTPNyuH2t0hzKo
TtQUI/v69fFudwxdaJRoTAxrnLpw7s2Fxg7orMUPtXsw87ufMZuw72ZGhQZsUHXU
5ESitPYPRf7QwkW6Tk6NwvGWK4gWhM7MT+HCdfJnPXmNzeFMri27rEVWCaBKSsdA
79/BkmHry0aYmbDT5g1pnh5oLGkc
-----END NEW CERTIFICATE REQUEST-----



Step III : Create SSL certificate using our CA and generated CSR:-

Execute the below OpenSSL command. It will create a SSL certificate named SampleCert.crt.

D:\OpenSSL\workspace>openssl ca -policy policy_anything -config openssl.conf -cert Certificates/RootCA.crt -in CSR/CSR.txt -keyfile Keys/RootCA.key -days 360 -out Certificates/SampleCert.crt

Now we have created the SSL certificates for IIS 7.0 Web Server. Now we will see how to install it on the IIS 7.0 and how to enable SSL on IIS 7.0.


Step IV : Installing SSL certificates in IIS 7.0:-

1. Now again get back to the IIS Manager and Server Certificates.On Actions panel click on “Complete Certificate Request…”.




2.  Now provide the certificate which we just created and type in a friendly name for your certificate and click Ok.



3.  Now you can see you certificate listed in the Server Certificates.






Step V : How to enable SSL on IIS7.0:-


1. Now again to go to IIS manager and on Connections panel, navigate till your website e.g. Default Web Site in this case. Click on Binding on the Actions panel on right hand side.







2. You will see the Site Bindings Box as below. 







3. Click on the Add… button. And select https and then select your certificate from SSL certificates drop down box and click on the Ok.






Now you can access your site with SSL enabled e.g. https://localhost/.

I hope this is useful. Please provide your comments and suggestions to improve my posts.

Friday, July 1, 2011

Creating server/client certificate pair using OpenSSL.

The server/client certificate pair can be used when an application trying to access a web service which is configured to authenticate the client application using the client ssl certificates.

You can follow steps below to create server and client certificate using OpenSSL.

Before creating server/ client certificate, we need to setup a self-signed Certificate Authority (CA) which can be used to sign the server/client certificates. First two steps will set up the CA. To create directory structure needed to setup CA please see here.

  1. Create a private key of CA.
openssl genrsa -des3 -out  Keys/RootCA.key 2048

  1. Create self-signed certificate of CA.
openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt

  1. Create private key for the server.
openssl genrsa -des3 -out Keys/server.key 2048

  1. Create CSR for the server.
openssl req -config openssl.cnf -new -key Keys/server.key -out CSR/server.csr

  1. Create server certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/server.csr -out Certificates/server.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Create private key for the client.
openssl genrsa -des3 -out Keys/client.key 2048

  1. Create CSR for the client.
openssl req -config openssl.cnf -new -key Keys/client.key -out CSR/client.csr

  1. Create client certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/client.csr -out Certificates/client.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Finally export the client certificate to pkcs format.
openssl pkcs12 -export -in Certificates/client.crt -inkey Keys/client.key -certfile Certificates/RootCA.crt -out Certificates/clientcert.p12

Please provide your comments and suggestions to improve the post.

Thanks,
Manmohan.