Generating an SSL certificate on Windows without IIS

From: http://luke.breuer.com/time/item/Generating_an_SSL_certificate_on_Windows_without_IIS/634.aspx

Generating an SSL certificate on Windows without IIS

Luke Breuer

2009-09-30 22:26 UTC

tags: ssl-certificate certificate-signing-request sql-server

Introduction

This article describes how to use OpenSSL, free software, to create certificate signing requests (CSRs) for SSL certificates, submit them to certificate authorities(CAs), and then process the response into a certificate file that can be imported into the Windows certificate store. 

Almost every website that describes how to generate SSL certificates on Windows assumes the use of IIS, or Windows' Certificate Services. IIS does have a nice GUI for generating CSRs and then processing the response from the CA into a certificate Windows can use, but it is not always installed (SSL is used for more than just serving web pages). Windows' Certificate Services might not be used, especially for smaller businesses. I needed to create a certificate, signed by GoDaddy, for use by SQL Server. 

OpenSSL

OpenSSL is useful for many SSL-related things; in our case, we use it to:

1. generate a CSR (to be send to the CA) and a private key
2. combine the response from the CA with the private key to create a certificate file Windows will import

I got most of my information from Useful OpenSSL Commands. 

Install OpenSSL

I installed OpenSSL from SourceForge; I find that the first download labeled "setup" works well. 

Generate a CSR

Here's an example command that works on 64-bit Windows (notice the (x86)). 
>openssl req -new -newkey rsa:2048 -keyout hostkey.pem -nodes -out hostcsr.pem -config "c:\program files (x86)\gnuwin32\share\openssl.cnf" 

You'll note that the directions I linked to above do not specify the -config switch. It turns out that if you do not, OpenSSL will error out; this is because there is no default location for config files on Windows. Here is the error: 

Unable to load config info from /usr/local/ssl/openssl.cnf

After you run the above, you'll be prompted to enter in information for the CSR. If using SQL Server, you need to enter the fully qualified domain name (FQDN) of the server as the Common Name. When prompted for 'extra' attributes, do not specify achallenge password, or you will get something like the following error: 

Error adding attribute 
4516:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc failure:./crypto/asn1/asn1_lib.c:381: 
4516:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc failure:./crypto/x509/x509_att.c:317: 
problems making Certificate Request

If all went well, you will now have hostkey.pem and hostcsr.pem in the working directory. hostcsr.pem is what you send to the CA; often you'll just copy the contents into some text field in a web form. hostkey.pem contains your private key and should never be transmitted to a CA. 

Generate a PK12 certificate

If all went well, you should have gotten a response from your CA with something like a .crt file. I put in the equivalent of some.example.com as the Common Name and got the file some.example.com.crt from GoDaddy. Drop that file in the same directory ashostkey.pem, which you created when generating the CSR. Windows cannot directly use these two files; instead, you need to convert them into a PK12 file like so: 
>openssl pkcs12 -export -in some.example.com.crt -inkey hostkey.pem -out some.example.com.p12 

Import the certificate into Windows

Now you're ready to import the certificate (some.example.com.p12). The following covers importing a certificate to be used by SQL Server; you might want to tweakwhere you import the certificate for other purposes.

1. To open the Certificates snap-in, follow these steps:
   1. To open the MMC console, click Start, and then click Run. In the Run dialog box type: 
      mmc
   2. On the Console menu, click Add/Remove Snap-in....
   3. Click Add, and then click Certificates. Click Add again.
   4. You are prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
   5. Select Local computer, and then click Finish.
   6. Click *Close in the Add Standalone Snap-in dialog box.
   7. Click OK in the Add/Remove Snap-in dialog box. Your installed certificates are located in the Certificates folder in the Personal container.
2. Use the MMC snap-in to install the certificate on the server:
   1. Click to select the Personal folder in the left-hand pane.
   2. Right-click in the right-hand pane, point to All Tasks, and then clickImport....
   3. Follow the wizard.

If you are setting up SQL Server encryption, all the above should fit nicely into this article.