Difference between revisions of "Working with SSL Certificates"

[unchecked revision][unchecked revision]
m
Line 1: Line 1:
== Generating a CSR and importing the certificate with certreq ==
+
Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificated after the CSR has been signed by a certificate authority, using Microsoft's ''Certreq'' tool.
__NOTOC__
 
* Log on on the host which runs the ''Client Access Server''.
 
* Prepare a text file ''request.inf'' with the following content
 
  
;----------------- request.inf -----------------
+
It is assumed that all steps are carried out on the machine, where the certificate is actually going to be used by a MailStore SPE.
[Version]
 
Signature="$Windows NT$"
 
 
[NewRequest]
 
; replace Subject attributes in the line below with real values
 
Subject = "CN=hostname, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
 
KeySpec = 1
 
KeyLength = 2048
 
Exportable = TRUE
 
FriendlyName = hostname
 
MachineKeySet = TRUE
 
SMIME = False
 
PrivateKeyArchive = FALSE
 
UserProtected = FALSE
 
UseExistingKeySet = FALSE
 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 
ProviderType = 12
 
RequestType = PKCS10
 
KeyUsage = 0xa0
 
 
[EnhancedKeyUsageExtension]
 
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
 
 
[Extensions]
 
2.5.29.17 = "{text}"
 
_continue_ = "dns=hostname.local&"
 
_continue_ = "dns=mailstore&"
 
;-----------------------------------------------
 
  
* Adjust the ''Subject'', ''FriendlyName'' and ''Extensions'' fields according to you infrastructure. Remove the entire ''[Extensions]'' section, if you do not need SANs. Save the file.
+
== Generating a Certificate Signing Request (CSR) ==
 +
* Prepare a text file ''request.inf'' with the following content:
  
<p class="msnote">'''Hint:''' When there are any SANs defined, the CN in the ''Subject'' field will be ignored by clients, therefore you have to add all possible hostnames to the SAN extensions.</p>
+
<pre>
 +
;----------------- request.inf -----------------
 +
[Version]
 +
Signature="$Windows NT$"
  
* Open an elevated command prompt and navigate into the directory where the ''request.inf'' is stored.  
+
[NewRequest]
 
+
; replace Subject attributes in the line below with real values
''' Creating the CSR '''
+
Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
 +
KeySpec = 1
 +
KeyLength = 2048
 +
Exportable = TRUE
 +
FriendlyName = mailarchive.example.com
 +
MachineKeySet = TRUE
 +
SMIME = False
 +
PrivateKeyArchive = FALSE
 +
UserProtected = FALSE
 +
UseExistingKeySet = FALSE
 +
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 +
ProviderType = 12
 +
RequestType = PKCS10
 +
KeyUsage = 0xa0
 +
 +
[EnhancedKeyUsageExtension]
 +
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
 +
</pre>
 +
* Adjust the ''Subject'', ''FriendlyName'' fields according to your needs.
 +
* Save the file.
 +
* Open an elevated command prompt and navigate to the directory where the ''request.inf'' is stored.  
 +
* Creating the CSR by executing the following command:
 
  certreq -new request.inf request.csr
 
  certreq -new request.inf request.csr
  
''' Validating the CSR '''
+
=== Optional: Subject Alternative Names (SAN) ===
certutil -dump request.csr
+
If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the ''Extensions'' section as shown below to the the end of the <tt>request.inf</tt> file and adjust the host names to your needs or add additional ones by appending additional ''_continue_'' lines. Then save the file and create the request as explained previously.
or
 
openssl.exe req -in request.csr -text -noout
 
  
* Submit the CSR to your CA. You will get a signed certificate in return.
+
<pre>
 +
[Extensions]
 +
2.5.29.17 = "{text}"
 +
_continue_ = "DNS=mailarchive.example.com&"
 +
_continue_ = "DNS=archive.example.com&"
 +
</pre>
  
''' Importing the certificate '''
+
<p class="msnote">'''Important notice:''' When SANs are defined, the CN in the ''Subject'' field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.</p>
certreq -accept certificate.cer
 
  
* Verify with ''certlm.msc'' or ''mmc'' that the certificate is imported properly in the host's ''Personal'' store and that a matching private key can be found.
+
== Validating the Certificate Signing Request ==
 +
To verify that the CSR is correct, execute the following command to display the it in a human readable format:
  
* [[Replace_Self-signed_SSL_Certificates|Replace]] the self-signed certificates in the ''Client Access Server''.
+
certutil -dump request.csr
  
== Creating a self signed certificate ==
+
== Submitting the Certificate Signing Request ==
 +
Submit the CSR to your preferred CA. You will get the signed certificate in return. During the submission process the CA might ask for the server platform. Selecting ''IIS 7'' or ''None of the listed'' should be sufficient.
  
The ''makecert.exe'' utility is included in the SPE's installation directory. It can be used to create self-signed certificate.
+
<p class="msnote">'''Please note:'' Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.
  
makecert.exe -r -pe -n "CN=hostname" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -a sha1 -len 2048
+
== Importing and Verifying the Certificate ==
 +
* Open an elevated command prompt and navigate to the directory where the certificate file is stored.  
 +
* Execute the following command to import the certificate into the computer's personal certificate store:
  
Replace ''hostname'' with your hostname. The certificate will be stored in the host's personal certificate store and can be used in the ''Client Access Server'' configuration.
+
certreq -accept certificate.cer
  
== Converting a PEM file into a PFX container with OpenSSL ==
+
* Use MMC's certificate snap-in or ''certlm.msc'' (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's ''Personal'' certificate store and that a matching private key can be found.
 +
* [[Replace_Self-signed_SSL_Certificates|Replace]] the self-signed certificates in the ''Client Access Server''.
  
When the CSR was created with OpenSSL, the private key is not stored in the hosts private key archive automatically. You have to merge private key, certificate and the certificate chain into one PFX container, and import this container into the host's personal certificate store.
+
== Appendix: Creating a PFX Container with OpenSSL ==
 +
When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key,   certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.
  
''' Merging the files '''
+
* Create the PFX container by executing the following command:
 
  openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 
  openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 
+
* Open an elevated command prompt and navigate to the directory where the PFX file is stored.
''' Importing the certificate '''
+
* Import the content of the PFX container into the computer's personal certificate store by executing the following command:
 
  certutil -importpfx certificate.pfx
 
  certutil -importpfx certificate.pfx
  
 
== Weblinks ==
 
== Weblinks ==
 
+
* [https://technet.microsoft.com/en-us/library/dn296456.aspx Microsoft Technet: Certreq]
[https://technet.microsoft.com/de-de/library/ff625722.aspx Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name]
+
* [https://technet.microsoft.com/en-us/library/cc732443.aspx Microsoft Technet: Certutil]
 
+
* [https://technet.microsoft.com/de-de/library/ff625722.aspx Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name]
[https://technet.microsoft.com/en-us/library/dn296456.aspx Microsoft Technet: Certreq]
+
* [https://www.openssl.org/docs/apps/openssl.html OpenSSL documentation]
 
 
[https://technet.microsoft.com/en-us/library/cc732443.aspx Microsoft Technet: Certutil]
 
 
 
[https://msdn.microsoft.com/en-us/library/bfsktky3.aspx Microsoft MSDN: makecert]
 
 
 
[https://www.sslshopper.com/csr-decoder.html SSL Shopper CSR Decoder]
 
 
 
[https://ssltools.websecurity.symantec.com/checker/views/csrCheck.jsp Symantec CSR Decoder]
 
 
 
[https://www.openssl.org/ OpenSSL]
 

Revision as of 15:04, 20 April 2015

Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificated after the CSR has been signed by a certificate authority, using Microsoft's Certreq tool.

It is assumed that all steps are carried out on the machine, where the certificate is actually going to be used by a MailStore SPE.

Generating a Certificate Signing Request (CSR)

  • Prepare a text file request.inf with the following content:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
; replace Subject attributes in the line below with real values
Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = mailarchive.example.com
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
 
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
  • Adjust the Subject, FriendlyName fields according to your needs.
  • Save the file.
  • Open an elevated command prompt and navigate to the directory where the request.inf is stored.
  • Creating the CSR by executing the following command:
certreq -new request.inf request.csr

Optional: Subject Alternative Names (SAN)

If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the request as explained previously.

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=mailarchive.example.com&"
_continue_ = "DNS=archive.example.com&"

Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.

Validating the Certificate Signing Request

To verify that the CSR is correct, execute the following command to display the it in a human readable format:

certutil -dump request.csr

Submitting the Certificate Signing Request

Submit the CSR to your preferred CA. You will get the signed certificate in return. During the submission process the CA might ask for the server platform. Selecting IIS 7 or None of the listed should be sufficient.

'Please note: Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.

Importing and Verifying the Certificate

  • Open an elevated command prompt and navigate to the directory where the certificate file is stored.
  • Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer
  • Use MMC's certificate snap-in or certlm.msc (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's Personal certificate store and that a matching private key can be found.
  • Replace the self-signed certificates in the Client Access Server.

Appendix: Creating a PFX Container with OpenSSL

When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.

  • Create the PFX container by executing the following command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  • Open an elevated command prompt and navigate to the directory where the PFX file is stored.
  • Import the content of the PFX container into the computer's personal certificate store by executing the following command:
certutil -importpfx certificate.pfx

Weblinks