Labels

Generate Root Certificate (Root CA) plus Server Certificate (X509 v3) with OpenSSL for HTTPS/SSL

Most of the instruction online are to generate a self-signed certificate only.  However, with only one server certificate (no root CA), it is difficult for some device to directly trust the server certificate.

(Updated on Oct 2020) X509 v3 is required for latest Chrome.
(Update on 9 Jun 2023) need to specify Cert and Private Key file Ciper - PBE-SHA1-3DES for older Windows Server

The solution is to generate our own RootCA certificate first.  Then we use this RootCA to generate the server certificate.
  1. Download OpenSSL for Windows
    https://slproweb.com/products/Win32OpenSSL.html
  2. Generate Root CA
    1. Generate Root Key
      openssl genrsa -des3 -out rootCA.key 4096

      Generating RSA private key, 4096 bit long modulus (2 primes)
      ........................................++++
      .......................................................................................++++
      e is 65537 (0x010001)
      Enter pass phrase for rootCA.key:
      Verifying - Enter pass phrase for rootCA.key:
    2. Generate Root CA Certificate
      openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

      Enter pass phrase for rootCA.key:
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:HK
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXX
      Organizational Unit Name (eg, section) []:DEV
      Common Name (e.g. server FQDN or YOUR name) []:mydomain.com
      Email Address []:rootcadmin@mydomain.com

    3. Root CA Certificate has been generated.  You can import it  (rootCA.crt) as "Trusted" Root CA cert in your device/Windows.

  3. Create Web Server Certificate
    1. Create  server.csr.cnf
      [req]
      default_bits = 2048
      prompt = no
      default_md = sha256
      distinguished_name = dn
       
      [dn]
      C=HK
      ST=Hong Kong
      L=Hong Kong
      O=My Company
      OU=MyOU
      emailAddress=rootca@mydomain.com
      CN = myhost
       
    2. Create  v3.ext
      authorityKeyIdentifier=keyid,issuer
      basicConstraints=CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
      subjectAltName = @alt_names

      [alt_names]
      DNS.1 = localhost
      DNS.2 = host.mydomain.com
      DNS.3 = host1.mydomain.com

    3. Generate Key and Generate CSR
      openssl req -new -sha256 -nodes -out mydomain.com.csr -newkey rsa:2048 -keyout mydomain.com.key -config server.csr.cnf
      Generating a RSA private key

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:HK
      State or Province Name (full name) [Some-State]:
      Locality Name (eg, city) []:
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXX
      Organizational Unit Name (eg, section) []:
      Common Name (e.g. server FQDN or YOUR name) []:mydomain.com
      Email Address []:

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:


    4. Generate Server Certificate
      openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256 -extfile v3.ext

      Signature ok
      subject=C = HK, ST = Some-State, O = XXXX, CN = mydomain.com
      Getting CA Private Key
      Enter pass phrase for rootCA.key:

    5. Combine .crt and .key file into single file (PKCS12) .pfx file for IIS import
      openssl.exe pkcs12 -export -out mydomain.com.pfx -inkey mydomain.com.key -in mydomain.com.crt -certfile rootCA.crt

      Enter Export Password:
      Verifying - Enter Export Password:

      1. For Windows 2012 or 2016 IIS import - You may receive password error or cannot import.   This is because since OpenSSL 3.0.0, AES-256-CBC is used by default which is not supported by older OS. You can try below command to use a compatible ciper to avoid error:
        openssl.exe pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -out mydomain.com.pfx -inkey mydomain.com.key -in mydomain.com.crt -certfile rootCA.crt

        Enter Export Password:
        Verifying - Enter Export Password:
  4. IIS import
    1. Double click on the PFX file to import the certificate under Local Machine - Personal
    2. In IIS Manager, select your Web Site.  Then select Bindings.
    3. Click Add.
    4. Select https.  Then you can find your certificate under SSL Certificate.


Reference:
Self Signed Certificate with Custom Root CA (github.com) (by Lorenzo Fontana)
https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/


Email Post
Labels:

Comments

Post a Comment