Difference between revisions of "Working with SSL Certificates"

[unchecked revision][unchecked revision]
Line 73: Line 73:
 
The ''makecert.exe'' is included in the SPE's installation directory. It can be used to create self-signed certificats.
 
The ''makecert.exe'' is included in the SPE's installation directory. It can be used to create self-signed certificats.
  
  makecert.exe -r -pe -n "CN=mail" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha1 -len 2048
+
  makecert.exe -r -pe -n "CN=hostname" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha1 -len 2048
 +
 
 +
Replace ''hostname'' with your hostname.
  
 
External Links:
 
External Links:

Revision as of 11:41, 25 March 2015

Generating a CSR and importing the certificate with certreq

  • Log on on the host which runs the Client Access Server.
  • Prepare a text file request.inf with the following content
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
; replace Subject attributes in the line below with real values
Subject = "CN=hostname, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = hostname
MachineKeySet = TRUE
SMIME = Falsedg
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
; this is for Server Authentication
OID=1.3.6.1.5.5.7.3.1

[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=hostname.local&"
_continue_ = "dns=mailstore&"
_continue_ = "ipaddress=172.20.13.16&"
;-----------------------------------------------
  • Adjust the Subject, FriendlyName and Extensions fields according to you infrastructure. Remove the entire [Extensions] section, if you do not need SANs. Save the file.

Hint: An IP address as SAN will not be accepted by official CAs. When there are any SANs defined, the CN in the Subject field will be ignored by clients, therefore you have to add all possible hostnames to the SAN extensions.

  • Open an elevated command prompt and navigate into the directory where the request.inf is stored.

Creating the CSR

certreq -new request.inf request.csr

Validating the CSR

certutil -dump request.csr
  • Submit the CSR to your CA. You will get a signed certificate in return.

Importing the certificate

certreq -accept certificate.cer
  • Verify with certlm.msc or mmc that the certificate is imported properly in the hosts Personal store and that a matching private key can be found.
  • Replace the self-signed certificates in the Client Access Server.

External Links:

Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name

Microsoft Technet: Certreq

Microsoft Technet: Certutil

Creating a self signed certificate

The makecert.exe is included in the SPE's installation directory. It can be used to create self-signed certificats.

makecert.exe -r -pe -n "CN=hostname" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha1 -len 2048

Replace hostname with your hostname.

External Links:

Microsoft MSDN: makecert

Converting a PEM/CRT into a PFX container with OpenSSL

When the CSR was created with OpenSSL, the private key is not stored in the hosts private key archive automatically. You have to merge private key, certificate and the certificate chain into one PFX container, and import this container into the host's personal certificate store.

Merging the files

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Importing the certificate

certutil -importpfx certificate.pfx

Private key of certificate is missing

Sometimes the matching private key cannot be found, then it is necessary to run the following command

certutil -repairstore my SerialNumber

where SerialNumber is the serial number (not fingerprint) of the certificate to be repairred.