HowTo (Creating SSL Certificates using OpenSSL)

angelaprice7172 · 2010-05-25T22:35:38.000Z

I am looking for help to do this task and was advised I should create a How To even though I do not have the full answer. My original question can be found here, if you need to know why I am trying to do this.

http://community.spiceworks.com/topic/99752?page=1#entry-411458

Here are my instructions for creating SSL Certificates using OpenSSL, it falls over at creating the master certificate. I think it has to do with the install directory.

Recommendations or better instructions for creating my own ssl certs for spiceworks and client machines would be appreciated.

----- Install OpenSSL -----

Logon as Administrator and install openssl-0.9.8h-1-setup.exe (follow default prompts)
Check Installation Directory for Openssl.exe is C:\Program Files\GnuWin32\bin
Add C:\Program Files\GnuWin32\bin to System Variable System Path “PATH” (to ensure that the openssl command will run from any command prompt directory)

----- Prepare System for Use -----

Logon as user and open command prompt
Change directory to C:\netadmin and create directory SSL (this is our working directory)
md ssl
Change directory to C:\netadmin\ssl and create the following directories:
md keys

md requests

md certs

Create the following text files by entering the following (where next line indicates carriage return and ^Z indicates Ctrl-Z)

copy con database.txt
^Z

copy con serial.txt
01
^Z

----- Create Certificate Authority (CA) -----

Create a 1024-bit private key

openssl genrsa -des3 -out keys/ca.key 1024

Enter PEM pass pharase (choose a memorable pass phrase to use for this key)
Verifying password - Enter PEM pass phrase (type your pass phrase again for verification)

----- Create Master Certificate -----

Next we create a master certificate based upon this key, to use when signing other certificates

openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

Enter PEM pass phrase (type your pass phrase here)
Enter Country Name:
Enter State or Province Name:
Enter Locality Name:
Enter Organisation Name:
Enter Organisational Unit Name:
Enter Common Name (eg your website domain name):
Enter Email Address:

----- Export CA Certificate in PKCS12 Format -----

Convert the pem file to a der file for use by client machines

openssl x509 -in ca.pem -outform DER -out ca.der

josephdyer8037 · 2010-06-02T20:08:09.000Z

I don’t know if this will help you, but this is how I created and installed a cert from Starfield (godaddy). I imagine it will work for any other CA.

Download and install openssl 0.9.8h. Just need it for the openssl.cnf file.
Open a command prompt and browse to the ssl folder in the Spiceworks application folder (ie "cd C:\Program Files\Spiceworks\httpd\ssl"
Type the following two commands substituting server.company.com for the fully qualified domain name for the Spiceworks application. Include the two periods “…”, unless you have different relative paths to the openssl.exe installed with SW. Remember the passphrase you type in!

…\bin\openssl genrsa -des3 -out priv-server.company.com.pem 2048

…\bin\openssl req -config “C:\Program Files (x86)\GnuWin32\src\openssl\0.9.8h\openssl-0.9.8h\apps\openssl.cnf” -new -key priv-server.company.com.pem -out server.company.com.csr
Upload the csr file to Starfield

When the new cert is returned from Starfield, both the new cert and the bundle extract them to the ssl directory

If you made a passphrase for the private key, these two steps will remove it:

rename the priv-server.company.com.pem to old-priv-server.company.com.pem

…\bin\openssl rsa -in old-priv-server.company.com.pem -out priv-server.company.com.pem
These two steps convert the crt format to pem for the starfield cert:

…\bin\openssl x509 -in server.company.com.crt -out server.company.com.der -outform DER

…\bin\openssl x509 -in server.company.com.der -inform DER -out server.company.com.pem -outform PEM
These two steps convert the starfield bundle crt format to pem:

…\bin\openssl x509 -in sf_bundle.crt -out sf_bundle.der -outform DER

…\bin\openssl x509 -in sf_bundle.der -inform DER -out sf_bundle.pem -outform PEM

In httpd\conf\httpd.conf change/add the following lines (should copy the original file first):

 SSLCertificateFile "ssl/server.company.com.pem"
 SSLCertificateKeyFile "ssl/server.company.com.pem"
 SSLCertificateChainFile "ssl/sf_bundle.pem"

Restart Spiceworks

milanchaudhari · 2010-08-09T16:07:21.000Z

Good info…
I was searching for this only.

mioszsuchy3633 · 2010-12-31T03:11:25.000Z

Or you can use this little JAVA app - http://portecle.sourceforge.net/

kaismets9585 · 2011-03-30T05:28:15.000Z

i’ve done this on school it was slightly different but almost the same good how to

craigshuey · 2012-01-16T12:05:33.000Z

I could not get this to work. The installation, including sources, did not have an OPENSSL.CNF file. There was a strange file called OPENSSL with no extension that Windows Server thought was a speed dial applet. I even tried renaming this to OPENSSL.CNF with no success. This is the fourth community article on this and none of them are complete or seem to work. It would be NICE if Spiceworks technical support actually reviewed these or gave us instructions that WORKED on Windows Servers.

rs51901 · 2012-04-02T10:20:31.000Z

@Craig9848:

Follow these steps to help you get past the openssl.cnf error:

irwinj.blogspot.com

Unable to load config info from /usr/local/ssl/openssl.cnf

Attempting to generate a Certificate Signing Request (CSR) using Apache and OpenSSL on Windows Server 2003 I received the following error me...

fraserpeakman7238 · 2012-07-31T09:06:42.000Z

Thank you Joseph6282 your instructions worked like a charm.

stuart8776 · 2012-08-24T13:28:46.000Z

Thanks for this info; have been needing to research it.

salmankv6843 · 2014-04-10T09:55:19.000Z

So now I can go with free ssl (openssl), I cam make replay after testing it, Thanks for the info.