On 6/8/2012 10:43 AM, Patrik Ahlin wrote: > > I am new to using OpenSSL. I have been using IIS for way too long and I want > to start to sign > SSL Certificates using SHA2/2048 bit. So I successfully generated a CSR > using this method and > was able to get it signed by DigiCert. I received a signed CER file back and > now I am trying > to get the keypair signed so I can install into IIS7. > > > > I am running Windows 7 Pro -- 32bit 2GB Ram > > > > Here is what I have. > > > > 1. I am using this website as a reference point. > > a. > http://www.trycatchfinally.net/2011/05/generate-an-x509-certificate-with-an-sha256-signature-hash/ > > 2. Create the CSR Batch File. > > a. openssl req -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key > --out mydomain.csr > > 3. Combine Private Key with the Public Key > > a. openssl pkcs12 -export --in mydomain.cer -inkey mydomain.key -out > mydomain.p12 > > b. It starts the process and requests the Export Passwords. When I have > entered these > two I receive the following message. > > c. "unable to write 'random state'" > > d. What I get back is a file that has a bunch of garbage and is not > useable by IIS7. Help? > > > > > > *Patrik Ahlin | Rush Order, Inc., 6600 Silacci Way, Gilroy , CA 95020 | t > (408) 848-3525 | f > (408) 848-5784 *This electronic message, including any and all attachments > hereto, is > intended solely to be used by the individual or entity to which it is > addressed. If the reader > of this message is not the intended recipient, or an employee or agent > responsible for > delivering this message to its intended recipient, you are herewith notified > that any > dissemination, distribution, copying or retention of this communication or > the information > contained herein is strictly prohibited. If you have received this message > communication in > error, please notify us at 408.848.3525 immediately and permanently delete > the original and > any copy or printout thereof. > > >
Unable to write random state is a normal warning on windows platforms, because it tries to write to HKLM; you can use an elevated prompt to get rid of it or ignore it, since random state continually changes anyway. You would normally import the p12/pfx file into the system certificate store first (using mmc), which will ask you for the password, and then use IIS manager to select a system certificate pair to use for SSL. The process is the same no matter how you create the certs. You can also individually import the key and the signed cert, if you wish. If you rename it to pfx, maybe it'll work easier, that's the standard windows file extension for pkcs12. Note: A p12 file sould look like garbage in a text viewer, they're never base64 encoded. Joshua Bowman
