Difference between revisions of "Working with SSL Certificates"

[unchecked revision][unchecked revision]
Line 36: Line 36:
 
* Save the file.
 
* Save the file.
 
* Open an elevated command prompt and navigate to the directory where the ''request.inf'' is stored.  
 
* Open an elevated command prompt and navigate to the directory where the ''request.inf'' is stored.  
* Creating the CSR by executing the following command:
+
* Create the CSR by executing the following command:
 
  certreq -new request.inf request.csr
 
  certreq -new request.inf request.csr
  

Revision as of 09:26, 22 April 2015

Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificate after the CSR has been signed by a certificate authority, using Microsoft's Certreq tool.

Customers who manage their certificates with OpenSSL, find useful information at the end of this article.

Generating a Certificate Signing Request (CSR)

It is assumed that the following steps are carried out on the machine, where the certificate is actually going to be used by MailStore SPE.

  • Prepare a text file request.inf with the following content:
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"

[NewRequest]
; replace Subject attributes in the line below with real values
Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = mailarchive.example.com
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
 
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
  • Adjust the Subject and FriendlyName values according to your needs.
  • Save the file.
  • Open an elevated command prompt and navigate to the directory where the request.inf is stored.
  • Create the CSR by executing the following command:
certreq -new request.inf request.csr

Optional: Subject Alternative Names (SAN)

If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the request as explained previously.

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=mailarchive.example.com&"
_continue_ = "DNS=archive.example.com&"

Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.

Validating the Certificate Signing Request

To verify that the CSR is correct, execute the following command to display it in a human readable format:

certutil -dump request.csr

Submitting the Certificate Signing Request

Submit the CSR to your preferred CA. The CA might ask for the server platform during the submission process. Selecting IIS 7 or None of the listed should be sufficient. After successful approval of the CSR, you will get the signed certificate in return.

Please note: Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.

Importing and Verifying the Certificate

  • Open an elevated command prompt and navigate to the directory where the certificate file is stored.
  • Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer
  • Use MMC's certificate snap-in or certlm.msc (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's Personal certificate store and that a matching private key can be found.
  • Replace the self-signed certificates in the Client Access Server.

Appendix: Creating a PFX Container with OpenSSL

When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.

  • Create the PFX container by executing the following command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  • Open an elevated command prompt and navigate to the directory where the PFX file is stored.
  • Import the content of the PFX container into the computer's personal certificate store by executing the following command:
certutil -importpfx certificate.pfx

Weblinks