Difference between revisions of "Working with SSL Certificates"
[unchecked revision] | [unchecked revision] |
m |
|||
Line 1: | Line 1: | ||
− | + | Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificated after the CSR has been signed by a certificate authority, using Microsoft's ''Certreq'' tool. | |
− | |||
− | |||
− | |||
− | + | It is assumed that all steps are carried out on the machine, where the certificate is actually going to be used by a MailStore SPE. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | * | + | == Generating a Certificate Signing Request (CSR) == |
+ | * Prepare a text file ''request.inf'' with the following content: | ||
− | < | + | <pre> |
+ | ;----------------- request.inf ----------------- | ||
+ | [Version] | ||
+ | Signature="$Windows NT$" | ||
− | * Open an elevated command prompt and navigate | + | [NewRequest] |
− | + | ; replace Subject attributes in the line below with real values | |
− | + | Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country" | |
+ | KeySpec = 1 | ||
+ | KeyLength = 2048 | ||
+ | Exportable = TRUE | ||
+ | FriendlyName = mailarchive.example.com | ||
+ | MachineKeySet = TRUE | ||
+ | SMIME = False | ||
+ | PrivateKeyArchive = FALSE | ||
+ | UserProtected = FALSE | ||
+ | UseExistingKeySet = FALSE | ||
+ | ProviderName = "Microsoft RSA SChannel Cryptographic Provider" | ||
+ | ProviderType = 12 | ||
+ | RequestType = PKCS10 | ||
+ | KeyUsage = 0xa0 | ||
+ | |||
+ | [EnhancedKeyUsageExtension] | ||
+ | OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication | ||
+ | </pre> | ||
+ | * Adjust the ''Subject'', ''FriendlyName'' fields according to your needs. | ||
+ | * Save the file. | ||
+ | * Open an elevated command prompt and navigate to the directory where the ''request.inf'' is stored. | ||
+ | * Creating the CSR by executing the following command: | ||
certreq -new request.inf request.csr | certreq -new request.inf request.csr | ||
− | + | === Optional: Subject Alternative Names (SAN) === | |
− | + | If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the ''Extensions'' section as shown below to the the end of the <tt>request.inf</tt> file and adjust the host names to your needs or add additional ones by appending additional ''_continue_'' lines. Then save the file and create the request as explained previously. | |
− | or | ||
− | |||
− | + | <pre> | |
+ | [Extensions] | ||
+ | 2.5.29.17 = "{text}" | ||
+ | _continue_ = "DNS=mailarchive.example.com&" | ||
+ | _continue_ = "DNS=archive.example.com&" | ||
+ | </pre> | ||
− | ''' | + | <p class="msnote">'''Important notice:''' When SANs are defined, the CN in the ''Subject'' field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.</p> |
− | |||
− | + | == Validating the Certificate Signing Request == | |
+ | To verify that the CSR is correct, execute the following command to display the it in a human readable format: | ||
− | + | certutil -dump request.csr | |
− | == | + | == Submitting the Certificate Signing Request == |
+ | Submit the CSR to your preferred CA. You will get the signed certificate in return. During the submission process the CA might ask for the server platform. Selecting ''IIS 7'' or ''None of the listed'' should be sufficient. | ||
− | + | <p class="msnote">'''Please note:'' Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate. | |
− | + | == Importing and Verifying the Certificate == | |
+ | * Open an elevated command prompt and navigate to the directory where the certificate file is stored. | ||
+ | * Execute the following command to import the certificate into the computer's personal certificate store: | ||
− | + | certreq -accept certificate.cer | |
− | + | * Use MMC's certificate snap-in or ''certlm.msc'' (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's ''Personal'' certificate store and that a matching private key can be found. | |
+ | * [[Replace_Self-signed_SSL_Certificates|Replace]] the self-signed certificates in the ''Client Access Server''. | ||
− | When the CSR was created with OpenSSL, the private key is | + | == Appendix: Creating a PFX Container with OpenSSL == |
+ | When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store. | ||
− | + | * Create the PFX container by executing the following command: | |
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt | openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt | ||
− | + | * Open an elevated command prompt and navigate to the directory where the PFX file is stored. | |
− | ' | + | * Import the content of the PFX container into the computer's personal certificate store by executing the following command: |
certutil -importpfx certificate.pfx | certutil -importpfx certificate.pfx | ||
== Weblinks == | == Weblinks == | ||
− | + | * [https://technet.microsoft.com/en-us/library/dn296456.aspx Microsoft Technet: Certreq] | |
− | + | * [https://technet.microsoft.com/en-us/library/cc732443.aspx Microsoft Technet: Certutil] | |
− | + | * [https://technet.microsoft.com/de-de/library/ff625722.aspx Microsoft Technet: How to Request a Certificate With a Custom Subject Alternative Name] | |
− | [https://technet.microsoft.com/en-us/library/dn296456.aspx Microsoft Technet: Certreq] | + | * [https://www.openssl.org/docs/apps/openssl.html OpenSSL documentation] |
− | |||
− | [https://technet.microsoft.com/en-us/library/cc732443.aspx Microsoft Technet: Certutil] | ||
− | |||
− | [https:// | ||
− | |||
− | [https://www. | ||
− | |||
− | |||
− | |||
− |
Revision as of 15:04, 20 April 2015
Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificated after the CSR has been signed by a certificate authority, using Microsoft's Certreq tool.
It is assumed that all steps are carried out on the machine, where the certificate is actually going to be used by a MailStore SPE.
Generating a Certificate Signing Request (CSR)
- Prepare a text file request.inf with the following content:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] ; replace Subject attributes in the line below with real values Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country" KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = mailarchive.example.com MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
- Adjust the Subject, FriendlyName fields according to your needs.
- Save the file.
- Open an elevated command prompt and navigate to the directory where the request.inf is stored.
- Creating the CSR by executing the following command:
certreq -new request.inf request.csr
Optional: Subject Alternative Names (SAN)
If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the request as explained previously.
[Extensions] 2.5.29.17 = "{text}" _continue_ = "DNS=mailarchive.example.com&" _continue_ = "DNS=archive.example.com&"
Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.
Validating the Certificate Signing Request
To verify that the CSR is correct, execute the following command to display the it in a human readable format:
certutil -dump request.csr
Submitting the Certificate Signing Request
Submit the CSR to your preferred CA. You will get the signed certificate in return. During the submission process the CA might ask for the server platform. Selecting IIS 7 or None of the listed should be sufficient.
'Please note: Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.
Importing and Verifying the Certificate
- Open an elevated command prompt and navigate to the directory where the certificate file is stored.
- Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer
- Use MMC's certificate snap-in or certlm.msc (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's Personal certificate store and that a matching private key can be found.
- Replace the self-signed certificates in the Client Access Server.
Appendix: Creating a PFX Container with OpenSSL
When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.
- Create the PFX container by executing the following command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- Open an elevated command prompt and navigate to the directory where the PFX file is stored.
- Import the content of the PFX container into the computer's personal certificate store by executing the following command:
certutil -importpfx certificate.pfx