29
Jul
self-signing a CSR for IIS and Apache Best answer on the web
Author: jack // Category: xn--g7qx97f.com(2) What exactly is in the body of the certificate request file?
The options for makecert need more explanation than that provided in "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp" I need to get to the bottom of this.
Sorry, it's going to take a bit of time to go thru this. I can't get certificate server to work. I can't locate my MSDN disks to reload it. I downloaded makecert.exe but I'm still confused about all the options and how to feed it my csr.txt file on the certificate signing machine for the website hosting machine. It seems the private key would be generated/issued after the signing and that 'test certificate' would include it, so I'm a little confused about what you said. Also, for the test certificate, don't most browsers put up a warning and permit you to use the untrusted key so why couldn't you use it for the public? And if I use makecert, what exported file would I distribute to others in my 'intranet' group? Ideally, I'd like to be a 'certificate authority' for all the webservices in our intranet. I'd like to distribute 1 private certificate and have all our ssl'd websites not come up with that warning. Is there a way I can accomplish that with just makecert? With all these diversions/interruptions, I'll proabably need another week (at least) to figure all this out - to see if I can get the signing and installations to work. Thank you very much for the references and instructions already provided.
Since you mentioned you lost some of your MSDN disks, as long as you have your registrationproof of purchase Microsoft will replace them... often fairly inexpensively.The phone number at Microsoft for ordering replacement media is (800) 759-5474. They are open standard business hours, pacific time.
-Spot
Before you begin, I highly recommend that you read ALL the documentation. I know there is a lot of it and some of it is very technical, but it is very worthwhile reading. Every system configuration is different, and only you will be able to determine the choices that are best for your enterprise.
As before, I'm going to break down your clarification and answer each separate question one at a time.
********************************************************************** Q: "Is there a way to give makecert a certificate request file?"
A: As noted in my previous clarification, it does not appear to be possible to feed makecert a certificate request file. You need to pass the parameters that would normally go into a certificate request file on the command line.
********************************************************************** Q: "What exactly is in the body of the certificate request file?"
A: A certificate request file contains information about your business or organization as well as your web server's public key. The file is used by the certificate authority to fill in the information they need to sign and generate the certificate.
Certificate Signing Request (CSR) FAQ
http://www.entrust.net/customer_support/csr_faq.htm
********************************************************************** Q: "when I tried that makecert I got an 'Invalid input parameter' for option -b. I got the same message for option -e."
A: According to the documentation, -b "Specifies the start of the validity period. Defaults to the certificate's creation date." and -e "Specifies the end of the validity period. Defaults to 12/31/2039 11:59:59 GMT." In laymans terms:
-b = B egin date
-e = E nd date
In short, after the -b or -e, you need to type a date so the computer knows how long the certificate is good for. I believe the reason you had trouble with the -b option is that the date wasn't formatted as the program was expecting (hence the "invalid input"). I think I mentioned previously, but the command line I listed was recommended by an overseas programmer; obviously the individual was using a date format specific to his regional settings. If you are in the US (or using the US version of the software) you will want to change the date to look the way dates are traditionally written in the US. (ie. 01/01/2000 instead of 01.01.2000) If you are elsewhere in the world, you will need to format the date in whatever way it is configured in your system control panel.
********************************************************************** Q: "I have no idea what the -eku option is (I mean what are the OIDs and why are they even needed?)."
A: The documentation states that -eku "Inserts a list of comma-separated, enhanced key usage object identifiers (OIDs) into the certificate."
Enhanced key usage object identifiers tell the computer what the certificate is good for, such as protecting a web site, encrypting e-mails or signing software. OIDs prevent users from misusing a certificate for any purpose other than what it was originally intended for.
**********************************************************************
These are the steps I used to create the certificates--one to act as a CA and sign other certificates, and second signed by the first and used to secure the web site--using makecert only. I did not install or use Certificate Server whatsoever.
"Slate" is the name of the server I used to test this. You will need to substitute your own server name wherever the word "slate" appears.
On the SERVER:
I downloaded makecert from Microsoft at:
http://download.microsoft.com/download/platformsdk/Update/5.131.3617.0/NT45XP/EN-US/makecert.exe
From a command prompt, I ran makecert and made a self-signed "CA" certificate:
makecert -r -pe -n "CN=slate-ca" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.1 -ss slate-ca.isb -sr localMachine -a sha1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sk "slate-ca.isb" slate-ca.crt
This command line is identical to the second command line I provided you previously with two exceptions: the date is in US format as I live in the US, and the key location has been moved from the "Personal" certificates store to it's own store so it doesn't get mixed up.
I then double-clicked the file that was output (slate-ca.crt) and installed the certificate.
Next I went to the Certificates snap-in of the MMC, and exported two copies of the certificate: one with the private key for backup purposes (slate-ca-backup.pfx), and a second without the private key for distribution purposes (slate-ca-disto.cer). While I was there, I went ahead and imported the distribution copy (slate-ca-disto.cer) into the Trusted Roots store on the server so that the server would recognize itself. As noted previously, it's very important to keep a backup copy of the certificate with the private key because if you lose the private key (hard drive failure or whatnot), you won't be able to use the certificate later even if you reinstall it.
Now that I had my "ca" certificate, I used it to sign a second certificate:
makecert -pe -n "CN=slate" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -ic slate-ca.crt -is slate-ca.isb slate.crt
I double-clicked the file (slate.crt) to install the second certificate.
Then I went to Directory Security tab of the web site properties in Internet Services Manager and opened the Certificate wizard by clicking the Server Certificate button (see my original answer above if you need a refresher on how to do this). I chose Assign an Existing Certificate and picked the certificate I just made from the list. I clicked OK, made sure SSL was set to the correct port and restarted IIS.
ON MY DESKTOP:
I opened my browser (Internet Explorer 5.0) and pointed it at the server. (https://slate/ ...don't forget the "s" in https) The page loaded correctly and I got the "do you want to trust this certificate" prompt as expected. I then closed my browser.
I copied the certificate intended for distribution (slate-ca-disto.cer) onto my desktop computer. I double-clicked the certificate in Windows Explorer and chose Install.
I then restarted my browser and pointed it at the server again. This time, the page came up with no prompt and the lock lit, precisely as expected.
**********************************************************************
I believe this answers your question, as well as your additional questions regarding special configurations such as building your own certificate chain. At this point, I feel that we are starting to drift outside the scope of the original question, so if you have additional questions you should post them separately.
I strongly recommend you read all of the documentation I've provided, as I'm sure it will help you greatly. If you continue to find makecert too difficult, you should strongly reconsider the Certificate Server method as it is significantly easier.
Again, good luck with your endeavor!
Best wishes,
-Spot
1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 ", I got an "Invalid input parameter for option -b.
Then when I removed the "-b" option, I got the same message for optin -e. I have no idea what the -eku option is (I mean what are the OIDs and why are they even needed?). Then when I removed the -e option, makecert gave me the error message: "Error: Can't create the key of the subject ('
I apologize for taking so long in getting back with you. I was away from home this weekend and did not get back to my computer until now.
I'm going to try to break down your clarification request into sections so that it's a little more manageable, and so that I can explain things in an order that should hopefully be easier to follow.
********************************************************************** Q: "Also, for the test certificate, don't most browsers put up a warning and permit you to use the untrusted key so why couldn't you use it for the public?"
A: Yes, most current browsers do. I believe some of the information I originally supplied you was somewhat out of date, and I apologize if I've caused any unnecessary confusion. I've double checked my facts with my brother, who writes SSL applications for a living, and this is how it works:
- If your browser supports SSL 2.0 or greater, then you are correct: you will get a warning and you can elect to accept the untrusted key if you so choose. I believe (but I'm not sure) that the minimum browser that will allow you to do this is IE 4.0. I do not know what the corresponding version number is for NetscapeMozilla or other browsers.
- If your browser does NOT support SSL 2.0--or the user has a current browser, but has disabled the newer SSL--then the site will be completely inaccessible unless you distribute and install the key directly into the browser.
- If you want to be accepted as a trusted root certificate authority (and avoid the warning message), then again you must download and install the certificate directly into the browser. (In IE, Internet options -> Certificates -> Import)
So, in theory, yes... if your visitors don't mind the warning, and you know that only people with newer browsers will be visiting your site, then you could do that. However, there are still some risks involved in doing that, which I'll explain.
When I said "public" site, I was making the following key assumption:
- Public sites primarily want SSL in order to engage in e-commerce.
A self-signed certificate is unacceptable to many people for e-commerce and similar applications, and here's why:
SSL does three very important things:
1) Encrypts your data
2) Proves you are who you say you are
3) (optional) Can be used to restrict access to your site
Both self-signed (test) certificates and certificates signed by a proper certificate authority (such as VeriSign) encrypt the data. For some applications, encryption alone provides enough protection. For example, in the case of the corporate intranet, your only concern may be protecting the data that is served by the corporate server and shielding it from prying eyes outside the company. If you had a public site with a similar need (where only the data on the server is important, and the data submitted by the client is unimportant) then a self-signed certificate is sufficient.
However, if you self-sign your certificate, you automatically lose benefit #2. Self-signed certificates are in effect unauthenticated... they do not prove that you are who you say you are. This has several implications. Most importantly, the client who is sending the data cannot be sure who they are sending the data to. Obviously, for applications like e-commerce, this is unacceptable to most people. The user could be sending his or her credit card number to practically anybody, with little or no way to verify that the recipient is even a real business. On the other side of the coin, you may also be putting yourself at greater risk of "website spoofing" or so-called "man in the middle attacks". In this kind of attack, a third party redirects traffic from your site by dns poisoning, hyperlink spoofing, typosquatting or other similar means to their own fraudulent site... that happens to look just like your legitimate site, thereby encouraging users to enter sensitive information that they would normally only provide to you. (Some such hacks in fact proxy the real site through a middle man that collects the data as it passes by.) While there are some browser exploits that allow even sites with certificates signed by a certificate authority to be spoofed, by signing your own certificates you make it even easier for a hacker to execute this kind of fraud because they no longer need to fake a certificate that appears as if it came from a trusted source... your site is already established as "untrusted".
Beyond the technical considerations, there are business and legal considerations to think about if you want to use a self-signed certificate for a public site. First and foremost, most users are timid about entering their credit card number online to begin with, and an additional scary-looking dialog will scare a lot of them off. Furthermore, if your site is hacked or impersonated and sensitive data is exposed, you may be liable. I'm not saying that a self-signed certificate will necessarily open you up to a lawsuit... but it certainly could make things worse, as anything that furthers the perception that your data handling practices are not up to snuff tends to increase your potential liability when something goes wrong.
With all that in mind, I have a hard time recommending self-signed certificates to people who want to use them for public sites except for limited applications. Of course, you know your intended use best and in the end the decision is entirely up to you.
Risks of Unauthenticated SSL Certificates
http://www.verisign.com/resources/gd/authentication/risks.html
How Secure Sockets Layer Works
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q245152
SSL Vulnerabilities
http://www.dsd.gov.au/talks/Auscert2002.pdf
Microsoft IE SSL Spoofing Vulnerability
http://www.safermag.com/html/safer37/alerts/55.html
**********************************************************************
Q: "Ideally, I'd like to be a 'certificate authority' for all the webservices in our intranet. I'd like to distribute 1 private certificate and have all our ssl'd websites not come up with that warning. Is there a way I can accomplish that with just makecert?"
A: Yes, I believe you can. You should be able to create your self-signed certificate and then use that certificate as a trusted root to sign other certificates. Other certificates you create are then chained to that first certificate. As long as that first certificate has been installed as a trusted root in the browser, then none of the certificates should cause a warning.
Incidentally, one of the Microsoft articles I referenced earlier had a fantastic suggestion for distributing the trusted root certificate. They suggested using the IEAK to build your own IE distribution with the certificate already installed. I know a lot of companies like to distribute customized versions of IE already, so if this is something you are already doing or considering doing, you might want to look into that as a convenience to your users.
********************************************************************** Q: "I downloaded makecert.exe but I'm still confused about all the options and how to feed it my csr.txt file on the certificate signing machine for the website hosting machine."
A: Unfortunately, I have not used makecert myself, but from my reading it appears that the options that would normally appear in your certificate request are passed on the command line instead.
I found several posts where people have successfully used makecert to make self-signed certificates, both for securing transactions and for signing software.
This post describes closely what you seem to be after, although it is targeted at using certificates to sign software instead of for transmitting data. However, he uses the technique of creating a self-signed trusted root certificate which he uses for signing all of his other certificates:
"Re: Programmatically Set IE5 Security Options", microsoft.public.scripting.vbscript http://groups.google.com/groups?q=+makecert+self-signed+%22trusted+root%22+(ie+OR+%22internet+explorer%22) &hl=en&lr=&ie=UTF-8&selm=O4ArA%24V4%24GA.254%40cppssbbsa04&rnum=1
This is the command line that the author used to make the trusted root certificate:
makecert -r -sk "MYCOMPANY.ISB" -ss MYCOMPANY.ISB -sr Localmachine -$
commercial -n "CN=MYCOMPANY.ISB.SM" -m 12 MYCOMPANYISB.crt
A programmer overseas, which I believe I referenced before, suggests using the following alternate command line (filling in your own machine name, of course):
makecert -r -pe -n "CN=www.yourserver.com" -b 01.01.2000 -e 01.01.2099 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -a sha1 -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
How to use makecert to create a self-signed test certificate that can be used with IIS for SSL http://www.inventec.ch/chdh/notes/14.htm
A different post suggested the following very similar syntax would also work:
makecert -pe -n CN=mymachine -ss MY -sr localMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "TestCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mymachine.cer
RE: How to get certificate made with makecert to work with IIS
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2002-07/2078.html
It seems that there are two critical flags that you will need to use to get your certificate generated properly:
-r which indicates that the certificate is self-signed.
-pe which indicates that the certificate is exportable.
The best thing I can recommend is to read the documentation for makecert. You can find the complete list of command-line options for makecert in the MSDN at:
Certificate Creation Tool (Makecert.exe)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfcertificatecreationtoolmakecertexe.asp
**********************************************************************
Q: "And if I use makecert, what exported file would I distribute to others in my 'intranet' group?"
A: I believe what you need to do is install the certificate you created with makecert to the trusted root certificates store on your local machine. Once it is installed, export it without the private key. The exported file *without* the private key is what you want to distribute. The important part is that you distribute only your public key and not your private key.
**********************************************************************
I hope this tells you what you need to know. SSL is a large topic and technical topic. If you're interested in learning more, you may want to consider getting some books from your local library. O'Reilly publishes some very good books on SSL, as well as some excellent books on server administration. If you're having difficulty with Certificate Server, you might also try contacting Microsoft technical support to get it working again. Certificate Server appears to be a significantly easier route than makecert.
If you still considering getting a certificate signed by a trusted authority down the road, you might also want to consider using a test certificate generated by one of the certificate authorities in the meantime... it would certainly be a lot less work than signing it yourself. Many will provide limited-use or time-limited trial certificates for free of charge.
Sincerely,
-Spot
First things first, you'll need to generate a Certificate Signing Request. You can find the tool for generating a CSR for IIS under the Internet Services Manager, which you will find in the Administrative Tools folder on your start bar.
- From Internet Services Manager, select Default Website or the web site you want to generate the certificate for, right click it and select Properties.
- From the Properties dialog, select the Directory Security tab.
- Click the button that says Server Certificate. A wizard will appear. Choose Create New Certificate and click Next.
- On the next screen, choose Prepare the Request Now and then click Next.
- Follow the prompts on the next several pages to fill in your name, domain name and other required information.
- After you fill in the required information, you will be prompted for a file name to save the CSR to. Enter a file name and then complete the wizard.
After you have generated the CSR, be sure to make a backup of the private key. If you use this CSR to purchase a certificate, but you lose the private key, you won't be able to use the certificate you purchased so make sure you keep a copy somewhere safe.
To self-sign a certificate, you will either need makecert.exe, found on the Platform SDK, or you will need to use Microsoft Certificate Server. Microsoft recommends Certificate Server as the preferred method. Assuming you already have Certificate Server installed, you will need to complete the following steps:
- Open Internet Explorer and browse to http://servername/CertSrv, and select Request a Certificate.
- Select Advanced Request and click Next.
- Choose Submit a Certificate Request Using a base64 encoded PKCS #10 file then click Next.
- Paste the entire contents of the CSR file--including the BEGIN and END lines--into the Base64 Encoded Certificate Request box and click Submit.
- Close your browser.
- On the Certificate Server computer, open the Certification Authority MMC.
- Expand the tree underneath the server name, and choose Pending Requests. Right-click your certificate, click All Tasks, and then click Issue.
- Open your browser and browse to the certificate server again. Choose Check on a Pending Certificate and click Next.
- Select your request, then click Next.
- Select DER encoded, then click the Download CA certificate link. Save the certificate file to disk on your IIS server.
Once you've generated the test certificate, you'll need to install it into your server in order to use it.
- Open Internet Information Services MMC, and again, right click on the web site you wish to add the certificate to and click Properties.
- Select the Directory Security tab, then click Server Certificate. This will open the wizard.
- Select Process the Pending Request and click Next.
- Enter the path and file name of the private certificate that you created. Click Next until you finish the wizard.
- Click the Web Site tab, and make sure that the SSL Port text box is set to 443 (or whatever alternate port you want SSL to run on) and click OK.
That should get IIS up and running. After you've created your private certificate, you will need to import it into Internet Explorer in order to connect to your site using SSL:
- From the Tools menu, choose Internet Options
- Select the Content tab, then click the Certificate button.
From there, you will need to import the certificate. You may need to import the certificate as a Trusted Root Certification Authority in order for it to work properly.
As you guessed, a similar process is followed for systems running Apache, with some variations depending on whether you're running OpenSSL or mod_ssl components. Under OpenSSL, certificates can be signed using the ca command. The complete process is rather lengthy, but if you are interested, you can read more about one approach here:
Introducing SSL and Certificates using SSLeay
http://www.pseudonym.org/ssl/wwwj-index.html
I'm not 100% sure, but I do not believe that you can use the same CSR to generate a private certificate and purchase a certificate. I believe that you need to generate a new CSR. When you decide to purchase a certificate, you should ask the service from whom you purchase the certificate what you should do. They will be able to advise you on the correct approach.
I hope this answers your question. If you need any further clarification, do not hesitate to ask.
Good luck with your project,
-Spot
Generating a Certificate Signing Request (CSR) using IIS 5.x
http://certs.centurywebdesign.co.uk/support/csr_generation/iis5.html
Generating a Key Pair and CSR for Microsoft IIS 5.0
http://www.ssl.com/support/iis50.jsp
HOWTO: Set Up SSL Using IIS 5.0 and Certificate Server 2.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;299525
HOW TO: Configure SSL in a Windows 2000 IIS 5.0 Test Environment by Using Certificate Server 2.0 http://support.microsoft.com/default.aspx?scid=kb;EN-US;290625#4
Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and Digital Certificates http://msdn.microsoft.com/msdnmag/issues/01/04/SSL/default.aspx
How to use makecert.exe to create a self-signed test certificate
http://www.inventec.ch/chdh/notes/14.htm
Introducing SSL and Certificates using SSLeay
http://www.pseudonym.org/ssl/wwwj-index.html
Search Strategy:
certificate signing request iis
://www.google.com/search?q=certificate+signing+request+iis&hl=en&lr=&ie=ISO-8859-1
"private certificate" iis
://www.google.com/search?q=%22private+certificate%22+iis&hl=en&lr=&ie=UTF-8&start=10&sa=N
#If you have any other info about this subject , Please add it free.# |
// Add Comment