Working with SSL Certificates

Revision as of 15:04, 20 April 2015 by Dweuthen (talk | contribs)

Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificated after the CSR has been signed by a certificate authority, using Microsoft's Certreq tool.

It is assumed that all steps are carried out on the machine, where the certificate is actually going to be used by a MailStore SPE.

Generating a Certificate Signing Request (CSR)

  • Prepare a text file request.inf with the following content:
;----------------- request.inf -----------------
Signature="$Windows NT$"

; replace Subject attributes in the line below with real values
Subject = ", OU=Department, O=Organisation, L=Locality, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName =
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID = ; this is for Server Authentication
  • Adjust the Subject, FriendlyName fields according to your needs.
  • Save the file.
  • Open an elevated command prompt and navigate to the directory where the request.inf is stored.
  • Creating the CSR by executing the following command:
certreq -new request.inf request.csr

Optional: Subject Alternative Names (SAN)

If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the request as explained previously.

[Extensions] = "{text}"
_continue_ = ""
_continue_ = ""

Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.

Validating the Certificate Signing Request

To verify that the CSR is correct, execute the following command to display the it in a human readable format:

certutil -dump request.csr

Submitting the Certificate Signing Request

Submit the CSR to your preferred CA. You will get the signed certificate in return. During the submission process the CA might ask for the server platform. Selecting IIS 7 or None of the listed should be sufficient.

'Please note: Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.

Importing and Verifying the Certificate

  • Open an elevated command prompt and navigate to the directory where the certificate file is stored.
  • Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer
  • Use MMC's certificate snap-in or certlm.msc (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's Personal certificate store and that a matching private key can be found.
  • Replace the self-signed certificates in the Client Access Server.

Appendix: Creating a PFX Container with OpenSSL

When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.

  • Create the PFX container by executing the following command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
  • Open an elevated command prompt and navigate to the directory where the PFX file is stored.
  • Import the content of the PFX container into the computer's personal certificate store by executing the following command:
certutil -importpfx certificate.pfx