Friday, February 18, 2005

Self-Signed IIS SSL Certificates

While looking around on how to do use self-signed IIS SSL certificate using OpenSSL, I came across the below article content from the author Eric Longman on his site. Thanks for the useful contribution! Other than using a Linux system, windows user can look to using CYGWIN installed with OpenSSL which also does the same work!

=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

  1. Set up your CA (you only have to do this once)
    ON THE LINUX BOX...
    • Create a private key
      openssl genrsa -des3 -out CA.key 1024
      (You'll need to supply a passphrase. DON'T FORGET THIS!!)
    • Set this to read-only for root for security
      chmod 400 CA.key
    • Create the CA certificate
      openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
      (Provide appropriate responses to the prompts...for Common Name, you might want to use something like "OurCompany CA")
    • Set the certificate to read-only for root for security
      chmod 400 CA.crt
  2. Obtain a CSR
    ON THE IIS BOX...
    • Open the Internet Manager
    • Select the site for which you want to create a key
    • Right-click and choose Properties
    • Select the "Directory Security" tab
    • Click the "Server Certificate" button
    • Follow the prompts to create a CSR
    • Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we'll refer to your CSR as "new.csr")
  3. Sign the CSR
    ON THE LINUX BOX...
    • Sign the CSR (all of this on one line)
      openssl x509 -req -days 365 -in new.csr -CA CA.crt
      -CAkey CA.key -CAcreateserial -out new.crt
    • Transfer the new.crt file back to the IIS box

  4. Install self-signed certificate
    ON THE IIS BOX...
    • Open the Internet Manager
    • Select the site to install the key
    • Right-click and choose properties
    • Select the "Directory Security" tab
    • Click the "Server Certificate" button
    • Specify that you want to complete the pending request
    • Select the .crt file that you just transferred

Original content from Eric Longman - http://eal.us/blog/_archives/2003/6/2/25109.html
=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=

posted by sins @ 10:53 AM

0 Comments:

Post a Comment

<< Home