>From: [email protected] On Behalf Of Patrik Ahlin >Sent: Friday, 08 June, 2012 13:44
>I am new to using OpenSSL. I have been using IIS for way too long >and I want to start to sign SSL Certificates using SHA2/2048 bit. >So I successfully generated a CSR using this method and was able to >get it signed by DigiCert. I received a signed CER file back and >now I am trying to get the keypair signed so I can install into IIS7. Minor corrections: you aren't signing any certificate(s); the cert is (issued and) signed by digicert. The cert isn't merely a signed CSR; it shares some fields but also has important differences. >1. I am using this website as a reference point. >a. http://www.trycatchfinally.net/2011/05/generate-an-x509-certificate-with-an- sha256-signature-hash/ That page is 404 when I try it. >2. Create the CSR Batch File. >a. openssl req -nodes -sha256 -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr Nit: -sha256 on your request (CSR) shouldn't matter. What matters is selecting the option "Use SHA-2" on the digicert order page. (OTOH the keysize you generate does matter.) >3. Combine Private Key with the Public Key >a. openssl pkcs12 -export -in mydomain.cer -inkey mydomain.key -out mydomain.p12 >b. It starts the process and requests the Export Passwords. IHYM it requested two entries of the one export password. >When I have entered these two I receive the following message. >c. "unable to write 'random state'" That does no harm; it just means that your default RANDFILE isn't writable. An unmodified Windows build of openssl by default uses the root of your C: drive, which is normally restricted under newer versions of Windows. (In the dim past, C:\ was one of very few locations software could rely on.) Did it first say 'Loading 'screen' into random state'? If so, openssl used various Windows status as an entropy source even without the random-data file, which is usually good enough, especially for this short-term local encryption and even more especially when you left your privatekey file clear. >d. What I get back is a file that has a bunch of garbage >and is not useable by IIS7. Help? You got a PKCS#12 file, which is (mostly) encrypted binary data and will (should) look like gibberish to a human. I'm not familiar with IIS (7 or otherwise), but my understanding was it uses the Windows cert(&key)store, which is maintained by the InternetOptions control-panel and/or an MMC Certificate snapin depending on the version and perhaps licensing of your Windows, and those (both) can import PKCS#12. Where/how are you trying to use the PKCS#12, and what error(s) exactly do you get? That should at least hint at the problem. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
