Kbase P90739: How to create one's own CA root certificate using OpenSSL to sign IIS certificate request for use wi
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
1/17/2007 |
|
Status: Unverified
GOAL:
How to create one's own CA root certificate using OpenSSL to sign IIS certificate request for use with SSL
FIX:
There are some occasions where you might want to sign your own certificates for test purposes or for intranet use. This might be the case when using Web Services or the Progress AIA(S). The following Solution will walk you through an example on how to achieve this with OpenSSL and Microsoft IIS.
These steps are based on the following configuration:
- OpenEdge 10.0A
- IIS 5.1 on Windows XP Professional
- OpenSSL for Windows
1) Download and install OpenSSL for Windows at:
http://www.slproweb.com/products/Win32OpenSSL.html
- Create the following directories in the <OpenSSL install-dir>\bin:
demoCA
demoCA\private
demoCA\newcerts
- In demoCA create an empty file called 'index.txt' and also a file called 'serial' containing the number '01'.
2) Setup the proper environment.
- Open a Proenv window and execute:
cd <OpenSSL install-dir>\bin
- From here you can execute the 'openssl' command in the steps below.
3) Use OpenSSL to create a CA root certificate:
- Create a private key:
openssl genrsa -des3 -out cakey.pem 1024
- The process will prompt you to supply a PEM pass phrase to help secure the key.
- Create a CA certificate:
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 1825
- You will be prompted to supply information for the certificate.
- Move your private key cakey.pem to the demoCA/private directory and cacert.pem to the demoCA directory.
4) Create a certificate request via Internet Services Manager.
- Go to the property tab for the webserver you want to secure.
- Then go to 'Directory Security->Secure Communication->Server Certificate'.
- Follow the wizard to create a certificate request and fill up all required details.
- At the end of the wizard, it will generate a certreq.txt file.
- Move this file to the <OpenSSL install-dir>\bin directory.
5) Sign your previously created IIS certificate request.
- Sign the certificate request
openssl ca -in certreq.txt -out iis.cer
- Open iis.cer in your favorite text editor (e.g. UltraEdit) and remove all the text before the line '-- Begin Certificate --'.
- Complete the certificate request in IIS by importing the iis.cer file.
6) Make your (internal-use) Cert Server a trusted signing authority (issuer).
- Copy the cacert.pem file onto the machine where the Progress client will run.
- On the client machine, run the mkhashfile command from a Proenv window:
mkhashfile cacert.pem
You should now be able to connect to Microsoft IIS using HTTPS.