At this knowledge base, we'll create a Certificate Request (CSR) and we perform sign operation on our CA server. I'll explain all the steps for Windows servers.
Step 1:Download Binaries
- Download OpenSSL binaries
- You can get it from the Link. This link contains also Apache software for Windows. You can use only Openssl from the source I added to the link.
- Create your openssl.cnf file. I added a sample OpenSSL.cnf file which you can check it. There is some configuration that you need to change.
- change "dir" where you install openssl.exe
- "DNS.1" change with your web site Domain name.
- Also, you can check other configurations like bits size, password, key type, etc.
################################################################ # openssl example configuration file. # This is mostly used for generation of certificate requests. ################################################################# [ ca ] default_ca= CA_default # The default ca section ################################################################# [ CA_default ] dir=C:\Seritifika\Openssl\SHA2_Islemler # Where everything is kept certs=$dir # Where the issued certs are kept crl_dir= $dir/crl # Where the issued crl are kept database= $dir/index.txt # database index file new_certs_dir= $dir/new_certs # default place for new certs certificate=$dir/CA/OrbixCA # The CA certificate serial= $dir/serial # The current serial number crl= $dir/crl.pem # The current CRL private_key= $dir/CA/OrbixCA.pk # The private key RANDFILE= $dir/.rand # private random number file default_days= 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md= md5 # which message digest to use preserve= no # keep passed DN ordering # A few different ways of specifying how closely the request should # conform to the details of the CA policy= policy_match # For the CA policy [policy_match] countryName= match stateOrProvinceName= match organizationName= match organizationalUnitName= optional commonName= supplied emailAddress= optional # For the ‘anything’ policy # At this point in time, you must list all acceptable ‘object’ # types [ policy_anything ] countryName = optional stateOrProvinceName= optional localityName= optional organizationName = optional organizationalUnitName = optional commonName= supplied emailAddress= optional [ req ] default_bits = 1024 default_keyfile= privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes req_extensions = v3_req [ req_distinguished_name ] countryName= Country Name (2 letter code) countryName_min= 2 countryName_max = 2 stateOrProvinceName= State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg. YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName= An optional company name [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = support.casesup.com.tr
Step 2: Start batch Script
You can use this batch script to create a CSR and also a PEM file. Please change the directory path as you wish. As you see you need to change "OPENSSL_CONF" and the certificate PATH "C:\Seritifika\Openssl\SHA2_Islemler"
This script will create two files named Casesup.pem and Casesup.csr. Please save both of them then you'll use them on your web sites. Certificate expires date sets 730 days and also we used sha2.
You need to type your Web service Domain name, Country, State, Location, Organization Name, Common name etc.
cd C:\Seritifika\Openssl\SHA2_Islemler set OPENSSL_CONF=C:\Seritifika\Openssl\SHA2_Islemler\openssl.cnf openssl.exe req -new -newkey rsa:4096 -nodes -keyout "C:\Seritifika\Openssl\SHA2_Islemler\created\Casesup.pem" -out "C:\Seritifika\Openssl\SHA2_Islemler\created\Casesup.csr" -days 730 -sha256
Step 3: Sign your request with Windows CA
Connect CA server with a web browser.
https://<yourserver>/certsrv
Step 4: Send Certificate Request
Step 5: Add CSR to request
You need to add your DNS information to the attributes tab. For example ;
san:dns=casesup.com&dns=support.casesup.com
Step 6: Connect CA server and approve the request
After you submit a certificate request then you can right-click the issued certificate under issued tab. Then export it to your desktop. And now you are ready to deploy the certificate to your web site. You have 3 files. CSR, PEM and signed CRT.