Create a self-signed SSL Certificate using OpenSSL in Windows

Preparation

Unfortunately, there is no official OpenSSL client for Windows. However, you could download it from WinOpenSSL.

Then you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate.

Run the openssl.exe in Command Prompt or PowerShell, the executable will be located in folder C:\Program Files\OpenSSL-Win64\bin\ if you install the 64bit version.

First Step - Generate a Private Key

  1. Enter the following command to create your RSA Private Key:

    genrsa -des3 -out localhost.key 2048
  2. After pressing Enter, you will be asked to enter a pass phrase for the localhost.key. You must type pass phrase in 4 to 1023 characters.

    Generating RSA private key, 2048 bit long modulus (2 primes)
    ......................................................+++++
    ..+++++
    e is 65537 (0x010001)
    Enter pass phrase for localhost.key:
  3. The localhost.key will be generated in the current folder, this is required later in the procedure.

Second Step - Generate a CSR (Certificate Signing Request)

In order for the self-signed SSL cert to work, you need to provide the Subject Alternative Name to the CSR. The easiest way to provide the subjectAltName is to use a config template when generating the CSR.

Example Configuration File

[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
x509_extensions = x509_ext

[ dn ]
C = SG
ST = Singapore
L = Seletar
O = Rolls-Royce
OU = APAC
emailAddress = [email protected]
CN = localhost

[ req_ext ]
subjectAltName = @alternate_names

[ x509_ext ]
subjectAltName = @alternate_names

[ alternate_names ]
DNS.1 = localhost
DNS.2 = 127.0.0.1

The command to generate the CSR is as follows:

req -new -key localhost.key -sha256 -out localhost.csr -config san.cnf

To view the output of the generated CSR enter the following command at the prompt:

OpenSSL> req -in localhost.csr -text -noout
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = [email protected], CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
                    4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
                    88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
                    55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
                    ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
                    e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
                    4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
                    a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
                    6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
                    ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
                    01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
                    5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
                    af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
                    1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
                    ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
                    f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
                    2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
                    0f:db
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         ad:85:70:51:27:73:c8:b0:8d:09:ae:69:3f:ee:fc:5a:3d:28:
         40:20:4e:56:23:03:9c:4c:7a:46:e8:d4:09:db:28:7c:f1:ac:
         10:66:60:9c:38:66:56:89:13:1a:59:b7:ab:59:e6:a7:38:83:
         9b:89:77:12:0c:39:ef:60:c9:c0:a6:a2:99:70:0b:52:9b:dc:
         c5:81:e2:45:48:32:86:1f:14:7e:92:c6:5b:c2:81:23:33:4d:
         23:59:02:66:a5:03:5a:ba:4f:13:ca:d8:de:26:68:ee:bf:db:
         6e:73:93:22:3d:a0:6e:c1:45:6a:9d:db:7d:14:ae:4c:2f:a2:
         fb:28:5d:3e:d1:54:92:f6:a0:fb:04:1c:87:24:0d:7f:47:36:
         7c:2d:26:3a:63:4f:40:03:0a:8e:0e:1e:f9:ea:27:d9:50:0a:
         6e:83:ab:df:b0:f6:db:e8:12:0d:19:43:eb:31:cd:d7:f6:5e:
         73:61:e9:65:2d:08:45:b8:50:0b:4e:54:a2:aa:d5:1d:24:00:
         12:a3:58:a5:d3:39:fa:24:f9:fb:91:4d:2c:23:e6:0b:77:b2:
         49:a2:77:d7:62:20:e6:fd:69:93:da:b2:8f:4d:7e:c3:fb:b1:
         f7:4d:5b:f9:aa:99:50:9a:d2:e5:a3:a4:cc:df:0f:77:e4:b0:
         98:7f:4e:37

Third Step - Generating a Self-Signed Certificate

Then you will use the OpenSSL tool to generate a temporary certificate, if you provide the SAN correctly, it will no longer generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a certificate which is good for 365 days, enter the following command:

x509 -req -days 365 -in localhost.csr -signkey localhost.key -sha256 -out localhost.crt -extfile san.cnf -extensions

To view the output of the generated SSL Certificate enter the following command at the prompt:

OpenSSL> x509 -in localhost.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            52:ad:82:a1:20:c3:17:a6:7d:b2:76:ed:90:ab:4d:52:2a:47:14:5c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = [email protected], CN = localhost
        Validity
            Not Before: Jun 13 02:58:15 2019 GMT
            Not After : Jun 12 02:58:15 2020 GMT
        Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = [email protected], CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25:
                    4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04:
                    88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a:
                    55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8:
                    ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92:
                    e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a:
                    4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75:
                    a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce:
                    6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05:
                    ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b:
                    01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51:
                    5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e:
                    af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2:
                    1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84:
                    ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18:
                    f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55:
                    2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30:
                    0f:db
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         a4:98:fe:3b:f3:2f:11:79:29:3a:60:25:ab:6f:e8:f2:c2:09:
         5f:6c:5f:46:08:f2:39:04:bf:e5:bc:36:68:59:cc:48:60:ac:
         69:a7:aa:ba:b3:0e:95:72:8c:84:53:aa:ae:b9:22:92:32:48:
         2b:e7:e6:c8:73:5a:1f:72:9c:1f:35:52:c7:43:47:98:50:49:
         2f:f9:ea:a9:94:fb:b9:1d:be:9a:45:90:17:a2:f2:d7:8d:b8:
         66:23:72:f1:4e:f7:c2:07:ea:f3:f2:13:ba:16:cb:12:99:96:
         0c:af:8a:f6:4f:cf:8f:b0:b7:44:34:09:7d:ba:59:ae:07:5d:
         80:99:c6:b4:8b:96:cb:db:f7:31:e4:f1:b5:17:2e:c8:45:3a:
         b9:00:03:0d:db:95:55:7e:bc:8e:a3:81:13:ad:3b:f0:6e:20:
         c8:06:f4:05:7a:31:4e:ef:0c:2e:14:67:a1:37:79:92:ca:e6:
         1f:cb:56:f9:21:3e:a5:14:cb:07:31:e0:dd:4c:a8:d2:f6:ab:
         67:f3:07:63:02:0a:0e:71:1d:41:f1:72:a4:11:57:22:08:a4:
         a9:14:40:2a:94:8d:fc:f9:0d:62:43:ff:21:92:18:eb:39:1b:
         5e:8f:0f:13:da:27:fd:cd:04:f6:8c:1d:b7:85:79:eb:1a:13:
         03:66:85:34

Final Step - Importing Certificate

Hold down the Windows Key and Press R on your keyboard. The run dialog box will open. Type in mmc then press ENTER.

The Certificate Manager will open then import the localhost.csr into Trust Root Certification Authorities.

From now, your browser will not make complain anymore. (You may need to import the cert in Chrome as well).

你可能感兴趣的:(ssl证书,openssl)