I'm trying to set up a script to generate SSL certificates for use with IIS. I'm trying to get certificates signed by a an self signed CA cert to work. I'm 99% there but something is sill wrong.
This is for use with MSExchange SSL certs. I want to have long life self signed certificates and to have a root cert which I can install on devices like smartphones which will allow me to trust other certs I have signed with it, like SSL certs.
This is what I'm doing:
/// create a private root cert
openssl genrsa -des3 -out work\Private-CA.key 2048
openssl req -new -x509 -days 3650
-key work\Private-CA.key
-out work\Public-CA.CRT
/// Create an SSL cert request
openssl genrsa -des3 -out work\Certificate-Request.key 2048
openssl req -new
-key work\Certificate-Request.key
-out work\SigningRequest.csr
/// Sign the request with the root cert
openssl x509 -req -days 3650 -extensions v3_req
-in work\SigningRequest.csr
-CA work\Public-CA.CRT
-CAkey work\Private-CA.key
-CAcreateserial
-out work\SSL-Cert-signed-by-Public-CA.CRT
The first 4 commands seem to be fine. The final command is generating a certificate which has the attributes I want.
I import the Public-CA.CRT into the machine Store as a trusted root certificate. I then use exchanges import-exchangecertifiate cmdlet to try and import SSL-Cert-signed-by-Public-CA.CRT. This fails with a message saying that the certificate is not trusted.
It would appear it is not being signed. If I import the ssl cert into to machine personal store, it also indicates that it doesn't have a certification route.
Can anyone with a better knowledge of this see what I'm missing?
As an aside: Is there any way, from the command line, of asking openssl if Certificate X has been signed by Certificate Y?
This should work but doesn't:
openssl verify -cafile Public-CA.CRT SSL-Cert-signed-by-Public-CA.CRT
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
adding -purpose doesn't make matters any better.
No comments:
Post a Comment