How To Create A Self Signed Ssl Certificate Windows 7

Updated date Jul 02, 2020

39.8k
3

This article describes a step-by-step procedure from scratch on how to generate a server-side X509 certificate on Windows 7 for SSL/TLS TCP communication using OpenSSL.

Introduction

For an SSL/TLS socket connection from a client application to a server application, we need a server-side certificate. Client and server applications can communicate with each other via socket programming. In order to make sure the communication is secure/encrypted, we need to define a server certificate at the time of creating a server-side socket. This article describes a step by step procedure from scratch on how to generate a server-side X509 certificate on Windows 7 for SSL/TLS TCP communication using OpenSSL.

Note

This tutorial does not require any kind of Linux simulation or virtualization of Linux distribution on Windows. Instead, it describes how to generate the certificate solely on Windows. The procedure is tested on Windows 7 and it is assumed that the procedure will also work seamlessly for Windows 10 as well.

Overall, we first create a self-signed "Root key/certificate" pair. Then using this root key/Certificate, we create an intermediate Key/Certificate. Finally, we create a server certificate using the intermediate certificate. While creating a server certificate or server certificate signing request, we may consider using the "IP address" of the computer on which the server is running, as the "Common Name" field. Common Name is the mandatory parameter when running a certificate creation command of Openssl. This is due to the fact that some SSL programming libraries require that. I used the password "1234" whenever a password is required while creating a certificate or certificate signing request. As a result of each of the following steps of creating Key/Certificate/Certificate Signing Request, the corresponding Key/Certificate/Certificate Signing Request will be generated in its corresponding folder as per the directory structure given ahead.

1-Install/Setup OpenSSL

Download "Win32 OpenSSL v1.1.0f Light" from [3] and install it as mentioned at [2]. After installing Openssl, the path openssl.exe file should be added in the system path. That "oenssl.exe" can be run from our desired folder from the command prompt.

2-Setup Directory

We will create a "\root" folder at C:\ and the following folder structure in the "\root" folder.

Start Command Prompt
Start the command prompt; create a root folder and the following directory structure:

Do the following to get index, serial and crlnumber files in the appropriate folders
Get Configuration files

Extract the root configuration file [4] from the attachment (configurationFiles.zip) and save it as "openssl.cfg" at C:\root\ca
For instance "C:\root\ca\openssl.cfg"

Extract the intermediate configuration file [5] from the attachment (configurationFiles.zip) and save it as "openssl.cfg" at C:\root\ca\intermediate

For instance "C:\root\ca\intermediate\openssl.cfg"

3-Certificate Creation Steps

Set path at the command prompt

C:\root\ca> set RANDFILE=C:\root\ca\private\.rnd
C:\root\ca> set OPENSSL_CONF=C:\root\ca\openssl.cfg
Start OpenSSL

C:\root\ca>openssl
openssl>
Create a Root Key

openssl> genrsa -aes256 -out private/ca.key.pem 4096
Create a Root Certificate (this is self-signed certificate)

openssl> req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem
Create an Intermediate Key openssl> genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096
Create an Intermediate certificate signing request openssl> req -config intermediate/openssl.cfg -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem
Create intermediate certificate (using Root Key/Certificate) openssl> req -config openssl.cfg \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem
Quit OpenSSL openssl> quit
C:\root\ca>
Get CA-Chain Cert C:\root\ca> type intermediate\certs\intermediate.cert.pem certs\ca.cert.pem > intermediate\certs\ca-chain.cert.pem
Start OpenSSL

C:\root\ca>openssl
openssl>
Create a Server Key openssl>genrsa -aes256 \ -out intermediate/private/www.example.com.key.pem 2048
Create a Server Signing Request openssl>req -config intermediate/openssl.cnf \ -key intermediate/private/www.example.com.key.pem \ -new -sha256 -out intermediate/csr/www.example.com.csr.pem
Create a Server Certificate (Using Server signing Request and Intermediate Certificate/Key) openssl> ca -config intermediate/openssl.cnf \ -extensions server_cert -days 375 -notext -md sha256 \ -in intermediate/csr/www.example.com.csr.pem \ -out intermediate/certs/www.example.com.cert.pem
Using Certificate Now the SSL/TLS server can be configured with server key and server certificate while using CA-Chain-Cert as a trust certificate for the server. The Root certificate has to be configured at the Windows to enable the client to connect to the server.

4-Configure SSL/TLS Client at Windows

In order to enable the client to connect with the Server, we need to register the Root certificate (created in step 3.4) at the Windows machine from where the Client will access the Server. Do Step 4.1 and 4.2 to complete the Root certificate registration on the Windows machine.

Go to the Control Panel
-> Credential Manager -> Add a Certificate based credential -> Open Certificate Manager
Right Click on the Certificate
-> All Tasks -> Import -> Next -> Browse

Browse the Root certificate that was generated in Step 3.4

References

Creating SSL/TLS Certificates
Installing OpenSSL
Download OpenSSL for Windows