Table of Contents / Create the Intermediate CA / Create a localhost Server Certificate
-
cd into the intermediate directory:
cd C:/Certificates/DoD/CA/Intermediate
-
Generate the private key
openssl genrsa -out private/localhost.key 2048
Note: you omit the
-aes256
option to create a cert without a password for server certs. If you create a server cert with a password you will have to enter the password when the server restarts! -
Create a certificate signing request.
openssl req -config intermediateca.cnf -key private/localhost.key -new -sha256 -out csr/localhost.csr.pem
-
Now use the intermediate CA to sign the server certificate request.
openssl ca -config intermediateca.cnf -extensions server_cert -days 375 -notext -md sha256 -in csr/localhost.csr.pem -out public/localhost.cer
Note: that in
intermediateca.cnf
, in the extensionserver_cert
, there is a section that defines theX509v3 Subject Alternative Name
asDNS:localhost, IP:127.0.0.1
. If you want to use additional or different DNS/IP combinations, you need to modify this file before running theopenssl ca
command for the server certificate. This section is required for a server cert to be trusted properly by a browser.Select
y
to sign the certificateSelect
y
to commit the certificate -
Verify the cert:
openssl x509 -noout -text -in public/localhost.cer
The
X509v3 Extended Key Usage
should sayTLS Web Server Authentication
The
X509v3 Subject Alternative Name
should sayDNS:localhost, IP Address:127.0.0.1
or whatever DNS/IP you chose in step 4.
Next: Import Into IIS
Table of Contents / Create the Intermediate CA / Create a localhost Server Certificate