Hello Everyone,

just wanted to contribute a short HOWTO as I have been spending the
last few days reading google groups, the openssl HOWTOs and didn't
really find a good one that teaches you how to get it done... any
comments appreciated!

anyway, great work OpenSSL team!

How to use OpenSSL to act as a CA to sign an IIS certificate request for SSL use

1. Create a certificate request via the Internet Services Manager under
'Directory Security->Secure Communication->Server Certificate'. This
is found under the property tab for the webserver you want to secure.
Follow the wizard to create a certificate request and fill up all
required details. At the end of the wizard, it will generate a
certreq.txt file. Move this to your favorite linux box (e.g Debian) or
run openssl under cygwin.

2. We now have to generate a private key using OpenSSL

openssl genrsa -des3 -out cakey.pem 2048

The process will prompt you to supply a PEM pass phrase to help secure the key.

3. Now we have to create a CA certificate for our bogus CA

openssl req -new -x509 -key cakey.pem -out cacert.pem -days 1825

4. Create the following directories in your home directory


Also create in demoCA a empty text file called 'index.txt' and a text
file called 'serial' with the numbers '01'

5. Move your private key cakey.pem to the demoCA/private directory
and cacert.pem to demoCA/

6. Sign our previously created IIS certificate request

openssl ca -in certreq.txt -out iis.cer

7. Open iis.cer in your favorite text editor (eg vi) and remove all the text
before the line '-- Begin Certificate --'. IIS is not able to handle
the text above that line and may get confused!

8. Move iis.cer back to your Windows machine and complete the
certificate request in IIS by importing the iis.cer file.

All done!

Best regards,
 Derek Chew En-Hock                   mailto:[EMAIL PROTECTED]

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to