How to create a Windows localhost certificate based on a local CA?












0















In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.



First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.



Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.



The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:




  1. Choose a secret pass phrase and provide it whenever asked.

  2. Generate private key:
    openssl genrsa -des3 -out CA_NAME.key 2048

  3. Generate PEM certificate from the private key:
    openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem

  4. Create root CA certificate:
    openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt

  5. Install CA root certificate on local computer:
    Right-click CA_NAME.crt, choose Install Certificate
    Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities


Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.



Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.



I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).



Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.










share|improve this question













migrated from security.stackexchange.com Oct 19 '17 at 18:11


This question came from our site for information security professionals.














  • 1





    see How to issue SSL certificate with SAN extension?.

    – Steffen Ullrich
    Oct 13 '17 at 19:06











  • Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

    – David Spector
    Oct 14 '17 at 22:50











  • "Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

    – Steffen Ullrich
    Oct 15 '17 at 5:02
















0















In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.



First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.



Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.



The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:




  1. Choose a secret pass phrase and provide it whenever asked.

  2. Generate private key:
    openssl genrsa -des3 -out CA_NAME.key 2048

  3. Generate PEM certificate from the private key:
    openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem

  4. Create root CA certificate:
    openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt

  5. Install CA root certificate on local computer:
    Right-click CA_NAME.crt, choose Install Certificate
    Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities


Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.



Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.



I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).



Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.










share|improve this question













migrated from security.stackexchange.com Oct 19 '17 at 18:11


This question came from our site for information security professionals.














  • 1





    see How to issue SSL certificate with SAN extension?.

    – Steffen Ullrich
    Oct 13 '17 at 19:06











  • Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

    – David Spector
    Oct 14 '17 at 22:50











  • "Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

    – Steffen Ullrich
    Oct 15 '17 at 5:02














0












0








0








In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.



First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.



Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.



The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:




  1. Choose a secret pass phrase and provide it whenever asked.

  2. Generate private key:
    openssl genrsa -des3 -out CA_NAME.key 2048

  3. Generate PEM certificate from the private key:
    openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem

  4. Create root CA certificate:
    openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt

  5. Install CA root certificate on local computer:
    Right-click CA_NAME.crt, choose Install Certificate
    Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities


Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.



Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.



I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).



Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.










share|improve this question














In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.



First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.



Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.



The specific commands used in an Admin Command Prompt (%windir%system32cmd.exe) for creating a local CA were:




  1. Choose a secret pass phrase and provide it whenever asked.

  2. Generate private key:
    openssl genrsa -des3 -out CA_NAME.key 2048

  3. Generate PEM certificate from the private key:
    openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem

  4. Create root CA certificate:
    openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt

  5. Install CA root certificate on local computer:
    Right-click CA_NAME.crt, choose Install Certificate
    Certificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities


Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.



Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.



I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).



Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.







windows certificate-authority






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 13 '17 at 17:39









David SpectorDavid Spector

1117




1117




migrated from security.stackexchange.com Oct 19 '17 at 18:11


This question came from our site for information security professionals.









migrated from security.stackexchange.com Oct 19 '17 at 18:11


This question came from our site for information security professionals.










  • 1





    see How to issue SSL certificate with SAN extension?.

    – Steffen Ullrich
    Oct 13 '17 at 19:06











  • Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

    – David Spector
    Oct 14 '17 at 22:50











  • "Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

    – Steffen Ullrich
    Oct 15 '17 at 5:02














  • 1





    see How to issue SSL certificate with SAN extension?.

    – Steffen Ullrich
    Oct 13 '17 at 19:06











  • Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

    – David Spector
    Oct 14 '17 at 22:50











  • "Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

    – Steffen Ullrich
    Oct 15 '17 at 5:02








1




1





see How to issue SSL certificate with SAN extension?.

– Steffen Ullrich
Oct 13 '17 at 19:06





see How to issue SSL certificate with SAN extension?.

– Steffen Ullrich
Oct 13 '17 at 19:06













Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

– David Spector
Oct 14 '17 at 22:50





Steffen, Thank you. Which of these three low-voted partial answers are you recommending? None seems correct or complete. I'm looking for an answer that works, that is tested, and contains as much detail as is contained in my question. None of this stuff seems reliable,

– David Spector
Oct 14 '17 at 22:50













"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

– Steffen Ullrich
Oct 15 '17 at 5:02





"Which of these three low-voted partial answers are you recommending?" - I have no idea what you are talking about. The question I've linked to includes only a single answer which explains how to create a SAN certificate when you already have the CA certificate (which you already managed to create).

– Steffen Ullrich
Oct 15 '17 at 5:02










1 Answer
1






active

oldest

votes


















0














OpenSSL doesn't require an admin terminal.




...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.





  • CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key

  • Server certificates should never have an encrypted key, as it then requires manual intervention to start

  • Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.






...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain




This is accomplished through SAN profiles.




  • The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub



    • Line 164: SAN profiles begin


    • Line 260: V3 Profiles begin


    • Line 430: All required commands and information begin








...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?




To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above





  1. Create Required Directories:



    mkdir cacsr certs crl keys



  2. Create Required Files:



    echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial



  3. Create CA



    openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca




    • CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols





      1. Generate Server Cert CSR:



        openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes



      2. Create and Sign cert with CA:



        openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos



      3. Concatenate CA to Cert:



        type ca/ca.crt.pem >> certs/server.crt.pem



      4. Export to PKCS12:



        openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem










Additional Information




  • Index File

  • keyUsage & extendedKeyUsage



    • Definitions

    • KUs

    • EKUs



  • Key Exchange and EC Key Exchange


    • KEXs

    • EC-KEXs



  • Manuals






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1260620%2fhow-to-create-a-windows-localhost-certificate-based-on-a-local-ca%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    OpenSSL doesn't require an admin terminal.




    ...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.





    • CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key

    • Server certificates should never have an encrypted key, as it then requires manual intervention to start

    • Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.






    ...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain




    This is accomplished through SAN profiles.




    • The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub



      • Line 164: SAN profiles begin


      • Line 260: V3 Profiles begin


      • Line 430: All required commands and information begin








    ...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?




    To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above





    1. Create Required Directories:



      mkdir cacsr certs crl keys



    2. Create Required Files:



      echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial



    3. Create CA



      openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca




      • CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols





        1. Generate Server Cert CSR:



          openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes



        2. Create and Sign cert with CA:



          openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos



        3. Concatenate CA to Cert:



          type ca/ca.crt.pem >> certs/server.crt.pem



        4. Export to PKCS12:



          openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem










    Additional Information




    • Index File

    • keyUsage & extendedKeyUsage



      • Definitions

      • KUs

      • EKUs



    • Key Exchange and EC Key Exchange


      • KEXs

      • EC-KEXs



    • Manuals






    share|improve this answer






























      0














      OpenSSL doesn't require an admin terminal.




      ...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.





      • CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key

      • Server certificates should never have an encrypted key, as it then requires manual intervention to start

      • Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.






      ...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain




      This is accomplished through SAN profiles.




      • The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub



        • Line 164: SAN profiles begin


        • Line 260: V3 Profiles begin


        • Line 430: All required commands and information begin








      ...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?




      To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above





      1. Create Required Directories:



        mkdir cacsr certs crl keys



      2. Create Required Files:



        echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial



      3. Create CA



        openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca




        • CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols





          1. Generate Server Cert CSR:



            openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes



          2. Create and Sign cert with CA:



            openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos



          3. Concatenate CA to Cert:



            type ca/ca.crt.pem >> certs/server.crt.pem



          4. Export to PKCS12:



            openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem










      Additional Information




      • Index File

      • keyUsage & extendedKeyUsage



        • Definitions

        • KUs

        • EKUs



      • Key Exchange and EC Key Exchange


        • KEXs

        • EC-KEXs



      • Manuals






      share|improve this answer




























        0












        0








        0







        OpenSSL doesn't require an admin terminal.




        ...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.





        • CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key

        • Server certificates should never have an encrypted key, as it then requires manual intervention to start

        • Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.






        ...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain




        This is accomplished through SAN profiles.




        • The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub



          • Line 164: SAN profiles begin


          • Line 260: V3 Profiles begin


          • Line 430: All required commands and information begin








        ...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?




        To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above





        1. Create Required Directories:



          mkdir cacsr certs crl keys



        2. Create Required Files:



          echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial



        3. Create CA



          openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca




          • CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols





            1. Generate Server Cert CSR:



              openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes



            2. Create and Sign cert with CA:



              openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos



            3. Concatenate CA to Cert:



              type ca/ca.crt.pem >> certs/server.crt.pem



            4. Export to PKCS12:



              openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem










        Additional Information




        • Index File

        • keyUsage & extendedKeyUsage



          • Definitions

          • KUs

          • EKUs



        • Key Exchange and EC Key Exchange


          • KEXs

          • EC-KEXs



        • Manuals






        share|improve this answer















        OpenSSL doesn't require an admin terminal.




        ...It is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes.





        • CA / ICA passphrase is utilized whenever signing new certs, as the CA / ICA should always have an encrypted key

        • Server certificates should never have an encrypted key, as it then requires manual intervention to start

        • Client certificates with an encrypted key would request the passphrase whenever the certificate is utilized.






        ...Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain




        This is accomplished through SAN profiles.




        • The default openssl.cnf from OpenSSL is quite difficult to parse for anyone not familiar one, so I created a custom, easy to understand openssl.cnf a few years ago on my GitHub



          • Line 164: SAN profiles begin


          • Line 260: V3 Profiles begin


          • Line 430: All required commands and information begin








        ...Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above?




        To keep things sane, I'll be using V3 profiles contained within my linked openssl.cnf above





        1. Create Required Directories:



          mkdir cacsr certs crl keys



        2. Create Required Files:



          echo 00 > crlcrlnumber && type NUL > index && type NUL > rand && echo 00 > serial



        3. Create CA



          openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout caca.key.pem -out caca.crt.pem -config .openssl.cnf -extensions v3_ca




          • CA Key Passphrases: 20 character minimum, containing 2: uppercase, lowercase, numbers, & symbols





            1. Generate Server Cert CSR:



              openssl req -out cacsrserver.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout keysserver.key.pem -config .openssl.cnf -extensions v3_sophos -nodes



            2. Create and Sign cert with CA:



              openssl x509 -req -sha512 -days 3650 -in cacsrserver.csr -CA caca.crt.pem -CAkey caca.key.pem -CAserial .serial -out certsserver.crt.pem -extfile .openssl.cnf -extensions v3_sophos



            3. Concatenate CA to Cert:



              type ca/ca.crt.pem >> certs/server.crt.pem



            4. Export to PKCS12:



              openssl pkcs12 -export -out certsserver.p12 -inkey certsserver.key.pem -in certsserver.crt.pem -certfile caca.crt.pem










        Additional Information




        • Index File

        • keyUsage & extendedKeyUsage



          • Definitions

          • KUs

          • EKUs



        • Key Exchange and EC Key Exchange


          • KEXs

          • EC-KEXs



        • Manuals







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Oct 28 '18 at 10:44

























        answered Aug 30 '18 at 15:07









        JW0914JW0914

        654510




        654510






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1260620%2fhow-to-create-a-windows-localhost-certificate-based-on-a-local-ca%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to make a Squid Proxy server?

            Is this a new Fibonacci Identity?

            19世紀