A lot of services, which are published to the Internet, are secured with SSL certificates. A lot of times we use SSL certificates to secure communications when implementing ISA reverse proxy servers, Citrix Secure Gateway servers and/or Cisco WebVPN portals.
When you want to secure a connection with a SSL certificate you have to create a Certificate Signing Request (CSR) and get the CSR signed by a Certificate Authority (CA). This can be done by a “real” CA, like GeoTrust or Verisign, or you can configure your own CA and sign your own CSR.
There are a lot of ways for generating CSR’s. In first I always used what the customers could offer me. This could be the Cisco ASA firewall, a Windows server with IIS or the Juniper SA appliance. Sometimes could take a couple of hours before I could finally generate a CSR. While generating a CSR, a private key is also generated. When using customer equipment for generating the CSR, it could happen that the customer deletes the private key, which makes the CSR useless.
A colleague of mine often has the same problems and he started using Cygwin with OpenSSL under Windows. I have to say, GREAT. I started using it myself. A great advantage is that I can use my own laptop and I don’t have to depend on the customers equipments. Furthermore, and maybe the most important, I know what I am doing during the generation and signing of certificates, so I will never delete the wrong files.
Normally I generate a new private key per certificate and I use the following commands for generating the private key, CSR and the actual certificate.
1. Generate a private key
openssl.exe genrsa -out private-www-booches-nl.key 2048
2. Generate the CSR, fill in the required information (common name is the most important)
openssl.exe req -sha256 -new -key private-www-booches-nl.key -out csr-www-booches-nl.csr
3. The CSR is uploaded to the CA. The CA sends you the SSL certificate, which I save as www-booches-nl.crt
4. Create the actual SSL certificate
openssl.exe pkcs12 -export -out www-booches-nl.pfx -inkey private-www-booches-nl.key -in www-booches-nl.crt
When using an Open Source web server you have to use a certificate with a DER format. The first 3 steps, as shown above, are still the same. You can use the following steps to create a DER file.
4. Put the key file code at the end of the crt file
cat private-www-booches-nl.key >> www-booches-nl.crt
5. Create the DER file
openssl.exe x509 -in www-booches-nl.crt -inform PEM -out www-booches-nl.der -outform DER
It is also possible that you need a PEM certificate instead of a PFX certificate. Below you see the command to create a PEM certificate from a PFX certificate.
6. Create the PEM file
openssl.exe pkcs12 -in www-booches-nl.pfx -out www-booches-nl.pem -nodes
7. Check the CSR content
openssl.exe req -text -noout -in csr-www.booches.nl-csr
Using Cygwin with OpenSSL really makes it easier when working with CSR’s and certificates. A very usefull website with “The Most Common OpenSSL Commands” can be found here (in Dutch).