Skip to content

Instantly share code, notes, and snippets.

@ismyrnow ismyrnow/openssl.cnf
Last active Jul 24, 2019

Embed
What would you like to do?
Certificate creation in Windows

Creating a new key, with a self-signed root CA

This should only be done once, in a clean directory. The key and certificate is needed for each app.

1. Generate root CA (private key and public key).

The -des3 option forces it to use a password. You don't want someone hijacking your root CA and signing stuff.

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -config "/c/program files (x86)/git/ssl/openssl.cnf"

2. Add CA key to machine.

https://msdn.microsoft.com/en-us/library/ms733813%28v=vs.110%29.aspx Section: Installing a Certificate in the Trusted Root Certification Authorities Store

Create a new certificate

1. Create both a certificate signing request and a key.

Need to use an app-specific config file here, where "CN=localhost.ssl"

openssl req -in openssl.cnf -nodes -newkey rsa:2048 -sha224 -config openssl.cnf -keyout server.key -out server.csr

2. Create a new certificate

This also generates a rootCA.srl file, which I assume is only needed the first time, but is definitely needed.

openssl x509 -req -in server.csr -sha224 -extfile openssl.cnf -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 1024 -out server.crt

3. Make off with your new files (server.key, server.csr, server.crt).

Renew a certificate

###1. Check if the certificate is expired

openssl x509 -in server.crt -noout -enddate

2. Create a certificate signing request from the existing key

openssl x509 -in server.crt -signkey server.key -x509toreq -out new.csr

2. Create a certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out new.crt

3. Verify the new certificate (should end with OK)

openssl verify new.crt

4. Replace the old certificate with the new one, and delete the csr

mv new.crt server.crt && rm new.csr

Helpful Resources

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
default_md = sha224
[req_distinguished_name]
CN = localhost.ssl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
@RDalcolmo

This comment has been minimized.

Copy link

commented Jul 31, 2017

On the first step on Creating a new certificate, how do you pass a certificate authority that was created using makecert?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.