Creating a Self-Signed Certificate on Windows Server 2008/2008 R2 without IIS
Warning: Enterprise Root CA services need to be designed and implemented properly rather than simply installed on a whim to generate a certificate!
Problem
It's not possible to generate a self-signed certificate on Windows Server 2008/2008 R2 without having to install IIS.Option #1
Back in Windows 2003 with IIS6 there was a tool called SelfSSL to generate and assign self-signed certificates. SelfSSL is bunded with Microsoft’s IIS 6.0 Resource Kit Tools
SelfSSL is technically not compatible with IIS 7.0 however we found out that we can still use it to generate a self-signed certificate on newer servers!
Download and install SelfSSL only, no additional tools are needed from the kit
Launch SelfSSL by going to Start >Programs > IIS Resources > SelfSSL > SelfSSL
(Note: You must run SelfSSL elevated as an Administrator)
selfssl.exe /N:CN=fqdn.domain.server /K:2048 /V:365The above command will generate a new certificate with a key length of 2048 and a validity period of 1 year (365 days).
When prompted to overwrite the settings for site 1, answer with yes.
* An error opening the metabase will appear but can be ignored due to IIS not being installed on the server.
You will now be able to find the certificate in the local computer certificate store ready for use.
Option#2
Use OpenSSL to generate certificate for SSL connections.
Preparation:1. Download OpenSSL installer from the following link: http://slproweb.com/download
If you have problem on running OpenSSL, you may also need to download and install the Visual C++ 2008 installer.
2. Open the command prompt (Run As Administrator) and open the bin folder of the installation path. In this instance the default is: "C:\OpenSSL-Win32\bin"
Procedure:
1. command syntax: openssl genrsa -out priv.key 2048
Note: You might get a warning message: “can’t open config file: /usr/local/openssl.cnf”. In this instance you need to set the path to the .cfg file supplied with installation. Set the path with the following command: Set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg. If you get no messages then command succeeded.
3. Input the following command: openssl req -new -key priv.key -out server.crt -x509 -days 365. This generates a public key(cert) according to the private key generated above with expiration date 365 days, in X509 format.
You will be asked to enter the following information:
- Country Name (2 letter code) [AU]:
- State or Province Name (full name) [Some-State]:
- Locality Name (eg, city) []:
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []:xyz.MyCloudNas.com
- Email Address []:
selfssl.exe /N:CN=fqdn.domain.server /K:2048 /V:365
ReplyDelete