-
Notifications
You must be signed in to change notification settings - Fork 0
Home
As part of security guidelines, it is mandatory to use https certificates for every server and web application, even if they are not exposed over the internet. It is expensive to buy certificates from an external CA. In this article, we'll talk about the SSL Certificate Request, how to use it, and other ways to make a self-signed certificate.
Possible Options
To request an SSL certificate from a CA like DigiCert or IdenTrust, you send them a Certificate Signing Request (CSR), and they give you an SSL. They have signed their certificate using their root certificate and private key. Browsers keep a copy of the root certificate from the various CAs, so the browser can verify that your certificate was signed by a trusted CA. When we generate a self-signed certificate, the browser doesn’t trust it as it hasn’t been signed by a CA. One alternative choice is to copy the self-signed certificate to "Trusted Root Certification Authorities" in the local certificate store. This will work if you are testing only one system. If there are multiple systems and multiple certificates, all certificates have to be installed on all the devices. Consider the following self-signed certificate scenario: Assume there are hundreds of systems named A, B, C, and so on. Cert Chains: A signed A B signed B C signed C
Cert Deployment
Server A gets A, B, C , .....
Server B gets A, B, C , .....
Server C gets A, B, C , .....
The way to get around this is to generate our own root certificate and private key. Then, we just add the root certificate to every device we own once, and all the certificates we make will be trusted by default. So in the above example, we create a new root certificate called X (company name). B
Cert Chains:
X signed A
X signed B
X signed C
Cert Deployment
Server A gets X, A
Server B gets X, B
Server C gets X, C
In this case, only the root CA certificate and the device specific certificate have to be installed.
How to Set Up Your Own Certificate Authority
There are different tools and SDKs that can be used for the generation of certificates. For this example, we are using OpenSSL. Download the samples scripts. Edit the CreateCACertificate.bat to provide the CA name and other domain-specific details . Open a command prompt and run this batch file as an administrator. This will generate the CA certificate as well as Key. Alternatively, directly run the following commands.
/ /CANAME—provide the correct name. This will create a private key which will be used for certificate.
openssl genrsa -out CANAME.key 2048
//The following command will create a CA certificate using the provided key.
openssl req -x509 -new -nodes -key CANAME.key -sha256 -days 3650 -out CANAME.crt
this command will prompt different domain-specific details, which will be part of the certificate properties. Now this CA certificate can be installed in all the client devices . How-to-Install-CA-Certificate-in-Client-PC
Creating a CA Signed Certificate
Once this CA certificate is created, the next step is to create a certificate for the server or websites. For this Run the GenIISCert.bat file as an administrator and provide the system name or FQDN (fully qualified domain name) and PFX File password. This will create crt and pfx files. A crt file can be used for any server application specific certificate usage, and a pfx file can be used for IIS/Web server usage.