Creating A Certificate Using OpenSSL On Windows For SSL/TLS Communication

Introduction

 
For an SSL/TLS socket connection from a client application to a server application, we need a server-side certificate. Client and server applications can communicate with each other via socket programming. In order to make sure the communication is secure/encrypted, we need to define a server certificate at the time of creating a server-side socket. This article describes a step by step procedure from scratch on how to generate a server-side X509 certificate on Windows 7 for SSL/TLS TCP communication using OpenSSL.
 
Note
This tutorial does not require any kind of Linux simulation or virtualization of Linux distribution on Windows. Instead, it describes how to generate the certificate solely on Windows. The procedure is tested on Windows 7 and it is assumed that the procedure will also work seamlessly for Windows 10 as well.
 
Overall, we first create a self-signed "Root key/certificate" pair. Then using this root key/Certificate, we create an intermediate Key/Certificate. Finally, we create a server certificate using the intermediate certificate. While creating a server certificate or server certificate signing request, we may consider using the "IP address" of the computer on which the server is running, as the “Common Name” field. Common Name is the mandatory parameter when running a certificate creation command of Openssl. This is due to the fact that some SSL programming libraries require that. I used the password “1234” whenever a password is required while creating a certificate or certificate signing request. As a result of each of the following steps of creating Key/Certificate/Certificate Signing Request, the corresponding Key/Certificate/Certificate Signing Request will be generated in its corresponding folder as per the directory structure given ahead.
 

1-Install/Setup OpenSSL

 
Download "Win32 OpenSSL v1.1.0f Light" from [3] and install it as mentioned at [2]. After installing Openssl, the path openssl.exe file should be added in the system path. That “oenssl.exe” can be run from our desired folder from the command prompt.
 

2-Setup Directory

 
We will create a "\root" folder at C:\ and the following folder structure in the "\root" folder.
  1. Start Command Prompt
    Start the command prompt; create a root folder and the following directory structure:

    Creating Certificate Using OpenSSL On Windows For SSL/TLS Communication

    Do the following to get index, serial and crlnumber files in the appropriate folders

    Creating Certificate Using OpenSSL On Windows For SSL/TLS Communication

  2. Get Configuration files

    Extract the root configuration file [4] from the attachment (configurationFiles.zip) and save it as “openssl.cfg” at C:\root\ca

    For instance “C:\root\ca\openssl.cfg”

    Extract the intermediate configuration file [5] from the attachment (configurationFiles.zip) and save it as “openssl.cfg” at C:\root\ca\intermediate

    For instance "C:\root\ca\intermediate\openssl.cfg"

3-Certificate Creation Steps

  1. Set path at the command prompt

    C:\root\ca> set RANDFILE=C:\root\ca\private\.rnd
    C:\root\ca> set OPENSSL_CONF=C:\root\ca\openssl.cfg

  2. Start OpenSSL

    C:\root\ca>openssl
    openssl>

  3. Create a Root Key

    openssl> genrsa -aes256 -out private/ca.key.pem 4096

  4. Create a Root Certificate (this is self-signed certificate)

    openssl> req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem

  5. Create an Intermediate Key

    openssl> genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096

  6. Create an Intermediate certificate signing request

    openssl> req -config intermediate/openssl.cfg -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem

  7. Create intermediate certificate (using Root Key/Certificate)

    openssl> req -config openssl.cfg \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem

  8. Quit OpenSSL

    openssl> quit
    C:\root\ca>

  9. Get CA-Chain Cert

    C:\root\ca> type intermediate\certs\intermediate.cert.pem certs\ca.cert.pem > intermediate\certs\ca-chain.cert.pem

  10. Start OpenSSL

    C:\root\ca>openssl
    openssl>

  11. Create a Server Key

    openssl>genrsa -aes256 \ -out intermediate/private/www.example.com.key.pem 2048

  12. Create a Server Signing Request

    openssl>req -config intermediate/openssl.cnf \ -key intermediate/private/www.example.com.key.pem \ -new -sha256 -out intermediate/csr/www.example.com.csr.pem

  13. Create a Server Certificate (Using Server signing Request and Intermediate Certificate/Key)

    openssl> ca -config intermediate/openssl.cnf \ -extensions server_cert -days 375 -notext -md sha256 \ -in intermediate/csr/www.example.com.csr.pem \ -out intermediate/certs/www.example.com.cert.pem

  14. Using Certificate

    Now the SSL/TLS server can be configured with server key and server certificate while using CA-Chain-Cert as a trust certificate for the server. The Root certificate has to be configured at the Windows to enable the client to connect to the server.

4-Configure SSL/TLS Client at Windows

 
In order to enable the client to connect with the Server, we need to register the Root certificate (created in step 3.4) at the Windows machine from where the Client will access the Server. Do Step 4.1 and 4.2 to complete the Root certificate registration on the Windows machine.
  1. Go to the Control Panel
    -> Credential Manager -> Add a Certificate based credential -> Open Certificate Manager

    Creating Certificate Using OpenSSL On Windows For SSL/TLS Communication

  2. Right Click on the Certificate
    -> All Tasks  -> Import -> Next -> Browse

    Creating Certificate Using OpenSSL On Windows For SSL/TLS Communication
Browse the Root certificate that was generated in Step 3.4
 
References