Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
25 juillet 2013 4 25 /07 /juillet /2013 16:21

We're going to see here how to create a self-signed SSL certificate, so that we can use it for various tasks ( Remote Desktop Connection, Web Server, EMail Server, etc ... )

We will use OpenSSL for this task. I'll explain the software installation and the certificate creation tasks using a Windows 7 x64 OS

As it is self-signed, it is cryptographically strong (AES256 / RSA4096 ), but can be compromised by a high-grade attack ( needing either physical access to the server or Man in the middle attack ).
So purchasing a real authored certificate may be a good professionnal choice, if such a level of attack is to be feared.


Installing OpenSSL

If you don't want to build OpenSSL yourself, there are some ready binaries.
I use this one :

 

http://www.slproweb.com/products/Win32OpenSSL.html

 

which is linked from the official www.openssl.org webpage.


For a little ease of mind, a virus total scan is possible.

We only need the Light version, and it has an installer.
The latest version for x64 is Win64OpenSSL_Light-1_0_1e at the time of this writing.
We probabaly need the Windows 2008 redistributable, so we get it too, the link is on the same webpage( vcredist_x64 here )


If you get a warning trying to install OpenSSL, first install the 2008 Redistributable



Creating a certificate and private key with OpenSSL


we launch the command line with admin rights

we navigate to the OpenSSL bin folder ( likely C:\OpenSSL-Win64\bin\ )



we generate the Private Key :

type :
openssl genrsa -des3 -out certificate.key 4096


take good note of your passphrase ( let's call it [passphrase1] )




we create the Certificate Signing Request :

type :

openssl req -new -key certificate.key -out certificate.csr
the first question about [passphrase1]



we create the certificate :
type :

openssl x509 -req -days 365 -in certificate.csr -signkey certificate.key -out certificate.crt
the first question is about [passphrase1]


if we want to remove the password from the Private Key :
type :


openssl rsa -in certificate.key -out certificate.key

( the asked password is [passphrase1] )



We can now go to the \OpenSSL-Win64\bin\ folder and get :

the Certificate ( certificate.crt )
the Private key ( certificate.key )




We're using Self Signed Certificates, so softwares and antivirus will rightfull try to make us not using them. So we have to use temporary or permanent exceptions to deal with this.

Partager cet article

Repost 0
Published by computer outlines - dans Windows Server 2008 R2
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens