Creating A Certificate Using OpenSSL On Windows For SSL/TLS Communication

 

For an SSL/TLS socket connection from a client application to a server application, we need a server-side certificate. Client and server applications can communicate with each other via socket programming. In order to make sure the communication is secure/encrypted, we need to define a server certificate at the time of creating a server-side socket. This article describes a step by step procedure from scratch on how to generate a server-side X509 certificate on Windows 7 for SSL/TLS TCP communication using OpenSSL.

 

This tutorial does not require any kind of Linux simulation or virtualization of Linux distribution on Windows. Instead, it describes how to generate the certificate solely on Windows. The procedure is tested on Windows 7 and it is assumed that the procedure will also work seamlessly for Windows 10 as well.

 

Overall, we first create a self-signed "Root key/certificate" pair. Then using this root key/Certificate, we create an intermediate Key/Certificate. Finally, we create a server certificate using the intermediate certificate. While creating a server certificate or server certificate signing request, we may consider using the "IP address" of the computer on which the server is running, as the “Common Name” field. Common Name is the mandatory parameter when running a certificate creation command of Openssl. This is due to the fact that some SSL programming libraries require that. I used the password “1234” whenever a password is required while creating a certificate or certificate signing request. As a result of each of the following steps of creating Key/Certificate/Certificate Signing Request, the corresponding Key/Certificate/Certificate Signing Request will be generated in its corresponding folder as per the directory structure given ahead.

 

 

Download "Win32 OpenSSL v1.1.0f Light" from [3] and install it as mentioned at [2]. After installing Openssl, the path openssl.exe file should be added in the system path. That “oenssl.exe” can be run from our desired folder from the command prompt.

 

 

We will create a "\root" folder at C:\ and the following folder structure in the "\root" folder.

1. Start Command Prompt
   Start the command prompt; create a root folder and the following directory structure:
   
   
   
   Do the following to get index, serial and crlnumber files in the appropriate folders
   
   
   
   
2. Get Configuration files
   
   Extract the root configuration file [4] from the attachment (configurationFiles.zip) and save it as “openssl.cfg” at C:\root\ca
   
   For instance “C:\root\ca\openssl.cfg”
   
   Extract the intermediate configuration file [5] from the attachment (configurationFiles.zip) and save it as “openssl.cfg” at C:\root\ca\intermediate
   
   For instance "C:\root\ca\intermediate\openssl.cfg"

1. Set path at the command prompt
   
   C:\root\ca> set RANDFILE=C:\root\ca\private\.rnd
   C:\root\ca> set OPENSSL_CONF=C:\root\ca\openssl.cfg
   
   
2. Start OpenSSL
   
   C:\root\ca>openssl
   openssl>
   
   
3. Create a Root Key
   
   openssl> genrsa -aes256 -out private/ca.key.pem 4096
   
   
4. Create a Root Certificate (this is self-signed certificate)
   
   openssl> req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem
   
   
5. Create an Intermediate Key
   
   openssl> genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096
   
   
6. Create an Intermediate certificate signing request
   
   openssl> req -config intermediate/openssl.cfg -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem
   
   
7. Create intermediate certificate (using Root Key/Certificate)
   
   openssl> req -config openssl.cfg \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem
   
   
8. Quit OpenSSL
   
   openssl> quit
   C:\root\ca>
   
   
9. Get CA-Chain Cert
   
   C:\root\ca> type intermediate\certs\intermediate.cert.pem certs\ca.cert.pem > intermediate\certs\ca-chain.cert.pem
   
   
10. Start OpenSSL
    
    C:\root\ca>openssl
    openssl>
    
    
11. Create a Server Key
    
    openssl>genrsa -aes256 \ -out intermediate/private/www.example.com.key.pem 2048
    
    
12. Create a Server Signing Request
    
    openssl>req -config intermediate/openssl.cnf \ -key intermediate/private/www.example.com.key.pem \ -new -sha256 -out intermediate/csr/www.example.com.csr.pem
    
    
13. Create a Server Certificate (Using Server signing Request and Intermediate Certificate/Key)
    
    openssl> ca -config intermediate/openssl.cnf \ -extensions server_cert -days 375 -notext -md sha256 \ -in intermediate/csr/www.example.com.csr.pem \ -out intermediate/certs/www.example.com.cert.pem
    
    
14. Using Certificate
    
    Now the SSL/TLS server can be configured with server key and server certificate while using CA-Chain-Cert as a trust certificate for the server. The Root certificate has to be configured at the Windows to enable the client to connect to the server.

4-Configure SSL/TLS Client at Windows

1. Go to the Control Panel
   -> Credential Manager -> Add a Certificate based credential -> Open Certificate Manager
   
   
   
   
2. Right Click on the Certificate
   -> All Tasks  -> Import -> Next -> Browse
   
   

Browse the Root certificate that was generated in Step 3.4

 

1. Creating SSL/TLS Certificates
2. Installing OpenSSL
   
3. Download OpenSSL for Windows