How to create a Windows localhost certificate based on a local CA?
In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.
First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.
Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.
The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:
- Choose a secret pass phrase and provide it whenever asked.
- Generate private key:
openssl genrsa -des3 -out CA_NAME.key 2048 - Generate PEM certificate from the private key:
openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem - Create root CA certificate:
openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt - Install CA root certificate on local computer:
Right-click CA_NAME.crt, choose Install Certificate
Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities
Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.
Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.
I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).
Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.
windows certificate-authority
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
migrated from security.stackexchange.com Oct 19 '17 at 18:11
This question came from our site for information security professionals.
add a comment |
In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.
First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.
Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.
The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:
- Choose a secret pass phrase and provide it whenever asked.
- Generate private key:
openssl genrsa -des3 -out CA_NAME.key 2048 - Generate PEM certificate from the private key:
openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem - Create root CA certificate:
openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt - Install CA root certificate on local computer:
Right-click CA_NAME.crt, choose Install Certificate
Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities
Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.
Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.
I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).
Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.
windows certificate-authority
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
migrated from security.stackexchange.com Oct 19 '17 at 18:11
This question came from our site for information security professionals.
1
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02
add a comment |
In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.
First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.
Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.
The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:
- Choose a secret pass phrase and provide it whenever asked.
- Generate private key:
openssl genrsa -des3 -out CA_NAME.key 2048 - Generate PEM certificate from the private key:
openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem - Create root CA certificate:
openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt - Install CA root certificate on local computer:
Right-click CA_NAME.crt, choose Install Certificate
Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities
Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.
Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.
I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).
Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.
windows certificate-authority
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.
First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.
Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.
The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:
- Choose a secret pass phrase and provide it whenever asked.
- Generate private key:
openssl genrsa -des3 -out CA_NAME.key 2048 - Generate PEM certificate from the private key:
openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem - Create root CA certificate:
openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt - Install CA root certificate on local computer:
Right-click CA_NAME.crt, choose Install Certificate
Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities
Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.
Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.
I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).
Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.
windows certificate-authority
windows certificate-authority
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
asked Oct 13 '17 at 17:39
David SpectorDavid Spector
1117
1117
migrated from security.stackexchange.com Oct 19 '17 at 18:11
This question came from our site for information security professionals.
migrated from security.stackexchange.com Oct 19 '17 at 18:11
This question came from our site for information security professionals.
1
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02
add a comment |
1
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02
1
1
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02
add a comment |
1 Answer
1
active
oldest
votes
OpenSSL doesn't require an admin terminal.
...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.
- CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key
- Server certificates should never have an encrypted key, as it then requires manual intervention to start
- Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.
...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain
This is accomplished through SAN profiles.
- The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub
Line 164: SAN profiles begin
Line 260: V3 Profiles begin
Line 430: All required commands and information begin
...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?
To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above
Create Required Directories:
mkdir cacsr certs crl keys
Create Required Files:
echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial
Create CA
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca
CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols
Generate Server Cert CSR:
openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes
Create and Sign cert with CA:
openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos
Concatenate CA to Cert:
type ca/ca.crt.pem >> certs/server.crt.pem
Export to PKCS12:
openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem
Additional Information
- Index File
- keyUsage & extendedKeyUsage
Definitions- KUs
- EKUs
- Key Exchange and EC Key Exchange
- KEXs
- EC-KEXs
- Manuals
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1260620%2fhow-to-create-a-windows-localhost-certificate-based-on-a-local-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
OpenSSL doesn't require an admin terminal.
...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.
- CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key
- Server certificates should never have an encrypted key, as it then requires manual intervention to start
- Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.
...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain
This is accomplished through SAN profiles.
- The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub
Line 164: SAN profiles begin
Line 260: V3 Profiles begin
Line 430: All required commands and information begin
...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?
To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above
Create Required Directories:
mkdir cacsr certs crl keys
Create Required Files:
echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial
Create CA
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca
CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols
Generate Server Cert CSR:
openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes
Create and Sign cert with CA:
openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos
Concatenate CA to Cert:
type ca/ca.crt.pem >> certs/server.crt.pem
Export to PKCS12:
openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem
Additional Information
- Index File
- keyUsage & extendedKeyUsage
Definitions- KUs
- EKUs
- Key Exchange and EC Key Exchange
- KEXs
- EC-KEXs
- Manuals
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
add a comment |
OpenSSL doesn't require an admin terminal.
...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.
- CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key
- Server certificates should never have an encrypted key, as it then requires manual intervention to start
- Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.
...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain
This is accomplished through SAN profiles.
- The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub
Line 164: SAN profiles begin
Line 260: V3 Profiles begin
Line 430: All required commands and information begin
...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?
To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above
Create Required Directories:
mkdir cacsr certs crl keys
Create Required Files:
echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial
Create CA
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca
CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols
Generate Server Cert CSR:
openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes
Create and Sign cert with CA:
openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos
Concatenate CA to Cert:
type ca/ca.crt.pem >> certs/server.crt.pem
Export to PKCS12:
openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem
Additional Information
- Index File
- keyUsage & extendedKeyUsage
Definitions- KUs
- EKUs
- Key Exchange and EC Key Exchange
- KEXs
- EC-KEXs
- Manuals
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
add a comment |
OpenSSL doesn't require an admin terminal.
...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.
- CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key
- Server certificates should never have an encrypted key, as it then requires manual intervention to start
- Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.
...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain
This is accomplished through SAN profiles.
- The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub
Line 164: SAN profiles begin
Line 260: V3 Profiles begin
Line 430: All required commands and information begin
...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?
To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above
Create Required Directories:
mkdir cacsr certs crl keys
Create Required Files:
echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial
Create CA
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca
CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols
Generate Server Cert CSR:
openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes
Create and Sign cert with CA:
openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos
Concatenate CA to Cert:
type ca/ca.crt.pem >> certs/server.crt.pem
Export to PKCS12:
openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem
Additional Information
- Index File
- keyUsage & extendedKeyUsage
Definitions- KUs
- EKUs
- Key Exchange and EC Key Exchange
- KEXs
- EC-KEXs
- Manuals
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
OpenSSL doesn't require an admin terminal.
...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.
- CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key
- Server certificates should never have an encrypted key, as it then requires manual intervention to start
- Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.
...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain
This is accomplished through SAN profiles.
- The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub
Line 164: SAN profiles begin
Line 260: V3 Profiles begin
Line 430: All required commands and information begin
...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?
To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above
Create Required Directories:
mkdir cacsr certs crl keys
Create Required Files:
echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial
Create CA
openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca
CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols
Generate Server Cert CSR:
openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes
Create and Sign cert with CA:
openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos
Concatenate CA to Cert:
type ca/ca.crt.pem >> certs/server.crt.pem
Export to PKCS12:
openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem
Additional Information
- Index File
- keyUsage & extendedKeyUsage
Definitions- KUs
- EKUs
- Key Exchange and EC Key Exchange
- KEXs
- EC-KEXs
- Manuals
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
edited Oct 28 '18 at 10:44
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
answered Aug 30 '18 at 15:07
JW0914JW0914
654510
654510
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1260620%2fhow-to-create-a-windows-localhost-certificate-based-on-a-local-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
see How to issue SSL certificate with SAN extension?.
– Steffen Ullrich
Oct 13 '17 at 19:06
Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,
– David Spector
Oct 14 '17 at 22:50
"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).
– Steffen Ullrich
Oct 15 '17 at 5:02