Raw: Using OpenSSL to create a certificate authority and update IIS 7.5

• December 29, 2010
• James Skemp
• software, tutorials / guides

A raw dump of information on how to create a certificate authority and etcetera.

Step 1: Basic folder and file structure creation

Directories: certs, keys, requests

Files: database.txt (empty), serial.txt (01, then new line), openssl.cnf (based on OpenSSL file)

Step 2: Create key

"c:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe" genrsa -des3 -out keys/_ca.key 2048

Step 3: Create certificate authority certificate

"c:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe" req -config openssl.cnf -new -x509 -days 365 -key keys/_ca.key -out certs/_ca.cer

Step 4: Create DER for public consumption

"c:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe" x509 -in certs\_ca.cer -outform DER -out certs\_ca.der

Step 5: Create request from IIS

IIS > click on main server, Server Certificates > populate all for request

save to requests directory locally

Step 6: Handle request

"c:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe" ca -policy policy_anything -config openssl.cnf -cert certs\_ca.cer -in requests\jamesrskemp_req.txt -keyfile keys\_ca.key -days 365 -out certs\jamesrskemp.cer -outdir certs

Step 7: Convert for IIS

"c:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe" x509 -in certs\jamesrskemp.cer -out certs\jamesrskemp_iis.cer

Step 8: Add to IIS

back in iis, complete request. use *.x.com if a wildcard for friendly name

install _ca.der certificate to Trusted Root Certification Authorities (do on clients as well - see this official FAQ)

associate actual site with certificate

• apache
• openssl
• iis
• windows server 2008 r2