Skip to content

Instantly share code, notes, and snippets.

@JamesMenetrey

JamesMenetrey/README.md

Last active June 12, 2020 14:39
Show Gist options
  • Save JamesMenetrey/5b0be4b5e6c18d0538b4bd8a45fa62dd to your computer and use it in GitHub Desktop.
Save JamesMenetrey/5b0be4b5e6c18d0538b4bd8a45fa62dd to your computer and use it in GitHub Desktop.
Download ZIP
Generate a valid SSL certificate with public/private key for wildcard domains (compatible with IIS) - 2017
Raw
README.md

Generate a valid SSL certificate with public/private key for wildcard domains (compatible with IIS) - 2017

Create the configuration file

Open a text editor and paste the following configuration. Save it and name it config.txt.

[req] 
distinguished_name = req_distinguished_name 
x509_extensions = v3_req 
prompt = no 
[req_distinguished_name] 
C = CH 
ST = VD 
L = Lausanne 
O = Company 
OU = Department 
CN = *.domain.com
[v3_req] 
keyUsage = keyEncipherment, dataEncipherment 
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names 
[alt_names] 
DNS.1 = *.domain.com

where

  • CN = commonName (for example, “CN=My Root CA”)
  • OU = organizationalUnitName (for example, “OU=Dev”)
  • O = organizationName (for example, “O=Jayway”)
  • L = localityName (for example, “L=San Francisco”)
  • S = stateOrProvinceName (for example, “S=CA”)
  • C = countryName (for example, “C=US”)

Create x509 request with OpenSSL (.pem)

As a reminder:

.pem Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. The name is from Privacy Enhanced Email, a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys. .cert .cer .crt A .pem formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not. More information about the Certificate signing request.

In the case of the following command, the public and private keys are stored in the .pem file.

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config config.txt

Create a PFX containing the keypair (.pfx)

As a reminder:

.pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys.

openssl pkcs12 -export -out cert.pfx -in cert.pem -name "*.domain.com" -passout pass:mypassword

Configure your local store to trust the certificate - optional step

If the purpose of this certificat is to be recognized in your browser, you need to configure your local store to validate the self signed certificate. In Windows, open a mmc and plug the Certificates component (don't forget to plug the snap-in in Computer account). Add the certificate to Trusted Root Certification Authorities.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment