Monday, February 29, 2016

windows server 2008 - SSL certificate generated with openssl doesn't have certification root

I'm trying to set up a script to generate SSL certificates for use with IIS. I'm trying to get certificates signed by a an self signed CA cert to work. I'm 99% there but something is sill wrong.
This is for use with MSExchange SSL certs. I want to have long life self signed certificates and to have a root cert which I can install on devices like smartphones which will allow me to trust other certs I have signed with it, like SSL certs.



This is what I'm doing:




/// create a private root cert
openssl genrsa -des3 -out work\Private-CA.key 2048

openssl req -new -x509 -days 3650
-key work\Private-CA.key
-out work\Public-CA.CRT

/// Create an SSL cert request
openssl genrsa -des3 -out work\Certificate-Request.key 2048


openssl req -new
-key work\Certificate-Request.key
-out work\SigningRequest.csr

/// Sign the request with the root cert
openssl x509 -req -days 3650 -extensions v3_req
-in work\SigningRequest.csr
-CA work\Public-CA.CRT
-CAkey work\Private-CA.key

-CAcreateserial
-out work\SSL-Cert-signed-by-Public-CA.CRT


The first 4 commands seem to be fine. The final command is generating a certificate which has the attributes I want.



I import the Public-CA.CRT into the machine Store as a trusted root certificate. I then use exchanges import-exchangecertifiate cmdlet to try and import SSL-Cert-signed-by-Public-CA.CRT. This fails with a message saying that the certificate is not trusted.



It would appear it is not being signed. If I import the ssl cert into to machine personal store, it also indicates that it doesn't have a certification route.




Can anyone with a better knowledge of this see what I'm missing?



As an aside: Is there any way, from the command line, of asking openssl if Certificate X has been signed by Certificate Y?
This should work but doesn't:



openssl verify  -cafile Public-CA.CRT SSL-Cert-signed-by-Public-CA.CRT
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server

nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper


adding -purpose doesn't make matters any better.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...