![]() Openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -subj “/C=BE/ST=/L=Brussels/O=Didier -config openssl.cnf This extra information can be passed via the command line too, with command option -subj: When we use command req like we did, we are prompted for extra information. Then we can issue commands without referencing the openssl.cnf explicitly: Set OPENSSL_CONF= c:\Demo\openssl-1.1.1i_2-win32-mingw\openssl.cnf If we do not use this command option on Windows, we get an error: Can't open C:/Windows/System32/OpenSSL/ssl/openssl.cnf for reading, No such file or directoryĢ2256:error:02001003:system library:fopen:No such process::0:fopen('C:/Windows/System32/OpenSSL/ssl/openssl.cnf','r')Ģ2256:error:2006D080:BIO routines:BIO_new_file:no such file::0:Įven if we run openssl.exe in the same folder as openssl.cnf.Īnother option is to set environment variable OPENSSL_CONF to point to the configuration file: ![]() That is why on Windows, we use command option: -config openssl.cnf Some OpenSSL commands (like the req command we used) require the openssl.cnf configuration file. Signtool sign /f ia.p12 /fd sha256 /td sha256 /tr Dialog42.exe Then it can be used to sign a Windows PE file: Openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt To use this subordinate CA key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file: In a production environment, you want to protect your keys with passwords. And I did not use passwords to protect my keys. When you buy a code signing certificate, the CA company will limit its use to code signing. It can be used for anything, even making another subordinate CA. For example, I didn’t restrict my subordinate CA key usage to digital signatures. Consult the OpenSSL documentation for more info. That’s all there is to it! Of course, there are many options I didn’t use. ![]() ![]() You can also inspect this certificate (ia.crt) with Windows: For the root CA, I let OpenSSL generate a random serial number. The certificate (ia.crt) will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). Openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt -extfile altname.cnf This subjectAltName is necessary, since Google Chrome version 58 and later no longer use the CN when there is no subjectAltName.Īfter creating this altname.cnf file, we can issue this command to create the subordinate CA signed by the root CA: SubjectAltName=DNS:I use the same value as I used for the Common Name (CN). We need a small text file (altname.cnf), with the following content: Here the command requires an extra option, that I did not use in previous how-tos. Next step: process the request for the subordinate CA certificate and get it signed by the root CA. If they are the same, you will get an error later on when creating the pkcs12 file. Make sure that the Common Name you enter here is different from the Common Name you entered previously for the root CA. Openssl req -new -key ia.key -out ia.csr -config openssl.cnf Then, request a certificate for this subordinate CA: Next step: create our subordinate CA that will be used for the actual signing. On Windows, you can double-click the root certificate we just created (ca.crt), and inspect it: 1826 days gives us a cert valid for 5 years. The -x509 command option is used for a self-signed certificate. Openssl req -new -x509 -days 1826 -key ca.key -out ca.crt -config openssl.cnf Next, we create our self-signed root CA certificate ca.crt you’ll need to provide an identity for your root CA: If you want to password-protect this private key, add command option -aes256 to encrypt the private key with AES using a key derived from a password you will be prompted for. It is stored inside file ca.key as printable text ( PEM format): This generates a private key that is not password protected. I issue the command “openssl version”, to check that I can run OpenSSL.Īnd just like in my previous how-to(s), I’m creating 2 certificates (not just one self-signed certificate): one root certificate and one subordinate certificate.įirst we generate a 4096-bit long RSA key for our root CA and store it in file ca.key: Then open a command-line (I’m using cmd.exe) and go to the unzipped folder: This OpenSSL version from the Curl developers is packaged inside a ZIP file: it requires no installation with administrative rights. I chose the 32-bit version, so that you can still follow along in case you have to do this on a 32-bit computer. This time, I’m using the OpenSSL Windows binaries provided by the Curl developers: As several things have changed since I published “ Howto: Make Your Own Cert With OpenSSL on Windows” 5 years ago, I’m publishing an updated how-to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |