Monday, January 8, 2018
company CA without a cert server
company CA without a cert server
For those who administer a network, sometimes you need to create a root certificate. This can be for an internal web-server, or for deploying internal software, or for other reasons. In many places you have a server setup whos sole purpose it get generate SSL and maybe other certificates for the company. If you dont want to dedicate an entire server to this task though because you dont need to be constantly generating new certificates there is an alternative.
OpenSSL is an open source program (hence the Open part), that allows you to generate SSL certificates, everything from a root certificate (for your company root CA), to a regular certificate thats signed by the root CA.
If youre on a linux machine do your usual apt-get install openssl or yum install openssl, and skip the next paragraph for windows.
If youre on windows, youll need to go to: http://www.openssl.org/related/binaries.html, and follow the links till you can download the openssl binary (full version) for window at http://slproweb.com/products/Win32OpenSSL.html (you may need to download and install the visual C++ redistrutable). Youll also want to add c:openssl-win32 in to your systems path or have the DLLs installed to the c:windowssystem32 directory.
To create a root certificate go to the c:openssl-win32 in directory and type:
openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 -config openssl.cfg
-leave the e-mail address blank.
-the above root ca will be valid for 13 years.
make the following directories, demoCA, demoCA ewcerts, and demoCAprivate
under c:openssl-win32 in?
so you should have c:openssl-win32 indemoCA ewcerts as one of your paths
move the *-ca.crt file to demoCA
the *-ca.key file to demoCAprivate
in the openssl.cnf file go to the CA_default section and make sure that private_key = $dir/private/my-ca.key
and change certificate = $dir/my-ca.crt
(change my-ca.key to whatever you typed in the openssl command above)
type echo 01 > demoCAserial
and in explorer navigate to the demoCA folder and create a new text file
and name it index.txt (dont put anything in it).
to create server certificates for wsus:
openssl req -nodes -new -keyout servername.key -out servername.csr -days 1825 -config openssl.cfg
for Common Name enter servername.company.com
leave email address blank, and hit enter for challenge password and optional company name.
then sign it using the ca (certifies for 5 yesrs)
openssl ca -out server.crt -in server.csr -days 1825 -config openssl.cfg
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile my-ca.crt
type in a password for the pfx
ignore message about "unable to write random state
