A while back I wrote a post on how to create a Certificate Authority on Linux, import the CA certificate into Active Directory and use it as an internal CA for your organization. Then I went silent for a while on the subject. Here is the follow up on how to sign SSL certs.
We are going to be generating the certificate for an IIS web server. Open IIS manager and drill down to your website. Select the properties of the website that needs the certificate, then go to the Directory Security tab. You should see some options about SSL certificates towards the bottom of the window. Click the Server Certificate button. The default option is to create a certificate request. Click next and follow the prompts.
This part is very important. You will need to provide the domain name of your website as the common name. If you put anything other than your domain name into the common name field, your users will receive a warning that there is a problem with the SSL certificate.
Once that is done and past the wizard should prompt you to create a text file to save the file as. Usually this is c:certreq.txt, so change it to something to indicate which domain name it is from.
Next copy the contents of this text file to your Linux or BSD box. The default SSL location is /etc/ssl on Ubuntu Linux. Save this contents of your certificate request to something like “www.mydomain.com.csr”.
With the CSR on the certificate authority server, you’re ready to go. Take a look and see where your CA certificate and key are at. In this example, the CA certificate is in /etc/ssl/cacert.pem. The private key is in /etc/ssl/private/cakey.pem.
root@hostname:/etc/ssl# openssl x509 -req -days 365 -in www.mydomain.com.csr -CA /etc/ssl/cacert.pem -CAkey /etc/ssl/private/cakey.pem -CAcreateserial -out /etc/ssl/www.mydomain.com.cer
Signature ok
subject=/C=US/ST=Utah/L=Layton/O=JW Network Consulting/OU=Technology/CN=www.mydomain.com
Getting CA Private Key
Enter pass phrase for /etc/ssl/private/cakey.pem:
root@hostname:/etc/ssl#
You now have your signed SSL certificate, /etc/ssl/www.mydomain.com.cer. Copy the contents of the file to a text file on your IIS server. Change the extension to .cer so IIS knows what to do with it. Open the properties of your website and go to the Directory Security tab. Click the Server Certificate button again and process the pending certificate request. Point it to your signed SSL certificate, C:www.mydomain.com.cer, and finish the wizard off.
That’s it.
- Why Don’t We Hear About Western Cyber-Attacks? - September 17, 2023
- Interview with Carrie Roberts - March 27, 2020
- Interview with Michael Santarcangelo - March 4, 2020