Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Certificate creation in Windows

Creating a new key, with a self-signed root CA

This should only be done once, in a clean directory. The key and certificate is needed for each app.

1. Generate root CA (private key and public key).

The -des3 option forces it to use a password. You don't want someone hijacking your root CA and signing stuff.

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem -config "/c/program files (x86)/git/ssl/openssl.cnf"

2. Add CA key to machine.

https://msdn.microsoft.com/en-us/library/ms733813%28v=vs.110%29.aspx Section: Installing a Certificate in the Trusted Root Certification Authorities Store

Create a new certificate

1. Create both a certificate signing request and a key.

Need to use an app-specific config file here, where "CN=localhost.ssl"

openssl req -in openssl.cnf -nodes -newkey rsa:2048 -sha224 -config openssl.cnf -keyout server.key -out server.csr

2. Create a new certificate

This also generates a rootCA.srl file, which I assume is only needed the first time, but is definitely needed.

openssl x509 -req -in server.csr -sha224 -extfile openssl.cnf -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -days 1024 -out server.crt

3. Make off with your new files (server.key, server.csr, server.crt).

Renew a certificate

###1. Check if the certificate is expired

openssl x509 -in server.crt -noout -enddate

2. Create a certificate signing request from the existing key

openssl x509 -in server.crt -signkey server.key -x509toreq -out new.csr

2. Create a certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out new.crt

3. Verify the new certificate (should end with OK)

openssl verify new.crt

4. Replace the old certificate with the new one, and delete the csr

mv new.crt server.crt && rm new.csr

Helpful Resources

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
default_md = sha224
[req_distinguished_name]
CN = localhost.ssl
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

On the first step on Creating a new certificate, how do you pass a certificate authority that was created using makecert?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment