Introduction
This article describes how to use OpenSSL, free software, to create certificate signing requests (CSRs) for SSL certificates, submit them to certificate authorities(CAs), and then process the response into a certificate file that can be imported into the Windows certificate store.Almost every website that describes how to generate SSL certificates on Windows assumes the use of IIS, or Windows' Certificate Services. IIS does have a nice GUI for generating CSRs and then processing the response from the CA into a certificate Windows can use, but it is not always installed (SSL is used for more than just serving web pages). Windows' Certificate Services might not be used, especially for smaller businesses. I needed to create a certificate, signed by GoDaddy, for use by SQL Server.
OpenSSL
OpenSSL is useful for many SSL-related things; in our case, we use it to:- generate a CSR (to be send to the CA) and a private key
- combine the response from the CA with the private key to create a certificate file Windows will import
I got most of my information from Useful OpenSSL Commands.
Install OpenSSL
I installed OpenSSL from SourceForge; I find that the first download labeled "setup" works well.Generate a CSR
Here's an example command that works on 64-bit Windows (notice the(x86)
).
>openssl req -new -newkey rsa:2048 -keyout hostkey.pem -nodes -out hostcsr.pem -config "c:\program files (x86)\gnuwin32\share\openssl.cnf"
You'll note that the directions I linked to above do not specify the
-config
switch. It turns out that if you do not, OpenSSL will error out; this is because there is no default location for config files on Windows. Here is the error:
Unable to load config info from /usr/local/ssl/openssl.cnf
After you run the above, you'll be prompted to enter in information for the CSR. If using SQL Server, you need to enter the fully qualified domain name (FQDN) of the server as the
Common Name
. When prompted for
'extra' attributes
, do
not specify a
challenge password
, or you will get something like the following error:
Error adding attribute
4516:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc failure:./crypto/asn1/asn1_lib.c:381:
4516:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc failure:./crypto/x509/x509_att.c:317:
problems making Certificate Request
If all went well, you will now have
hostkey.pem
and
hostcsr.pem
in the working directory.
hostcsr.pem
is what you send to the CA; often you'll just copy the contents into some text field in a web form.
hostkey.pem
contains your private key and should never be transmitted to a CA.
Generate a PK12 certificate
If all went well, you should have gotten a response from your CA with something like a.crt
file. I put in the equivalent of
some.example.com
as the
Common Name
and got the file
some.example.com.crt
from GoDaddy. Drop that file in the same directory as
hostkey.pem
, which you created when generating the CSR. Windows cannot directly use these two files; instead, you need to convert them into a PK12 file like so:
>openssl pkcs12 -export -in some.example.com.crt -inkey hostkey.pem -out some.example.com.p12
Import the certificate into Windows
Now you're ready to import the certificate (some.example.com.p12
). The following covers importing a certificate to be used by SQL Server; you might want to tweak
where you import the certificate for other purposes.
- To open the Certificates snap-in, follow these steps:
- To open the MMC console, click Start, and then click Run. In the Run dialog box type:
mmc
- On the Console menu, click Add/Remove Snap-in....
- Click Add, and then click Certificates. Click Add again.
- You are prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
- Select Local computer, and then click Finish.
- Click *Close in the Add Standalone Snap-in dialog box.
- Click OK in the Add/Remove Snap-in dialog box. Your installed certificates are located in the Certificates folder in the Personal container.
- To open the MMC console, click Start, and then click Run. In the Run dialog box type:
- Use the MMC snap-in to install the certificate on the server:
- Click to select the Personal folder in the left-hand pane.
- Right-click in the right-hand pane, point to All Tasks, and then clickImport....
- Follow the wizard.
If you are setting up SQL Server encryption, all the above should fit nicely into this article.