Saturday, 26 March 2016

Using OpenSSL to generate personal certificates on Mac OS X and Windows

Following on from a previous post: -


and, from my ongoing voyage of discovery this weekend: -

Mac

Generate Private Key

openssl genrsa -out ~/macintosh.uk.ibm.com.key 2048

Create Certificate Service Request

openssl req -new -sha256 -key ~/macintosh.uk.ibm.com.key -out ~/macintosh.uk.ibm.com.csr


Generate Personal Certificate using Certificate Service Request ( on Windows Server 2008 R2 )

certreq.exe -submit -attrib "CertificateTemplate:User" macintosh.uk.ibm.com.csr macintosh.uk.ibm.com.cer

Combine Private Key, Personal Certificate and Certificate Service Request into PKCS12 Export File ( .pfx )

openssl pkcs12 -export -out macintosh.uk.ibm.com.pfx -inkey macintosh.uk.ibm.com.key -in macintosh.uk.ibm.com.cer -certfile macintosh.uk.ibm.com.csr 

The .pfx file can then be imported into a browser such as Firefox, which expects an import to (a) include the private key (b) include the personal certificate and (c) have a password set on the import file

Windows

Setup Path to OpenSSL Configuration

set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

Generate Private Key

c:\OpenSSL-Win32\bin\openssl.exe genrsa -out c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.key 2048

Create Certificate Service Request

c:\OpenSSL-Win32\bin\openssl.exe req -new -sha256 -key c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.key -out c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.csr

Generate Personal Certificate using Certificate Service Request ( on Windows Server 2008 R2 )

certreq.exe -submit -attrib "CertificateTemplate:User" c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.csr c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.cer

Combine Private Key, Personal Certificate and Certificate Service Request into PKCS12 Export File ( .pfx )

c:\OpenSSL-Win32\bin\openssl.exe pkcs12 -export -out c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.pfx -inkey c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.key -in c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.cer -certfile c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.csr 

- Note; this fails with unable to load certificates - it appears that, with Windows, one does NOT need to provide the CSR, merely the private key and personal certificate

c:\OpenSSL-Win32\bin\openssl.exe pkcs12 -export -out c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.pfx -in c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.cer -inkey c:\Users\Administrator\Desktop\w2k8.uk.ibm.com.key

For the record, on the Mac, I have this version of OpenSSL: -

openssl version

OpenSSL 0.9.8zh 14 Jan 2016

c:\OpenSSL-Win32\bin\openssl.exe version

OpenSSL 1.0.2g  1 Mar 2016

No comments: