Skip to content

Files

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Latest commit

MaiklTMaiklT
Update index.md
Aug 30, 2024
b09b35f · Aug 30, 2024

History

History
284 lines (162 loc) · 9.45 KB

index.md

File metadata and controls

284 lines (162 loc) · 9.45 KB
uid locale title dnnversion
set-up-iis-https
en
Enable and Set Up IIS
09.02.00

Create a Trusted Certificate for Internal Webservers

Important notice: these instructions are meant for a local development machine or an intranet site, not for a public website.

Prerequisites

Enable and Set Up IIS

Download OpenSSL. You need the "full" version (not the "light" one).

Download the full version

Steps

  1. Install OpenSSL.

    Copy the OpenSSL DLLs to The OpenSSL binaries (/bin) directory during installation.

    Install OpenSSL

  2. Create some directories.

    • RootPath\Certificates
      • RootPath\Certificates\RootCA
      • RootPath\Certificates\SiteName
        • RootPath\Certificates\SiteName\.rnd
        • RootPath\Certificates\SiteName\newcerts

    RootPath is somewhere on your hard disk, e.g. C: or D:\Workspace

    SiteName is the directory for the site you want to create the certificate for, e.g. dnndev.me

  3. Create two files in the SiteName:

    • index.txt and
    • serial (without extension)

    Edit the file serial with any text editor, enter "1000" (without the hyphens), save and close the file.

    Edit serial file

  4. Create a batch file in the RootPath\Certificates directory and name it envvars.bat:

    SET SITE2SIGN=%1
SET ROOTCA=.\RootCA
SET ROOTCA_COMPANY_NAME=*CompanyName*-RootCA
SET FQDN=%1

SET RANDFILE=.\%SITE2SIGN%\.rnd
SET OPENSSL_CONF=.\%SITE2SIGN%.cnf
SET OpenSSL_HOME=C:\Program Files\OpenSSL-WIN64

    (Change *CompanyName* to your company name)

  5. Create another batch file in the RootPath\Certificates directory and name it RootCA.bat:

    if [%1]==[] GOTO CERT_ONLY

REM Create the private key for the Root CA
openssl req -newkey rsa:2048 -sha256 -keyout %ROOTCA%\%ROOTCA_COMPANY_NAME%.key

:CERT_ONLY
REM Create the certificate for the Root CA
openssl req -new -x509 -days 3650 -key %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -out %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt

  6. Create another batch file in the RootPath\Certificates directory and name it ClientCert.bat:

    REM Create a key for the client
openssl req -newkey rsa:2048 -sha256 -keyout .\%SITE2SIGN%\%FQDN%.key

REM Create the certificate signing request
openssl req -new -key .\%SITE2SIGN%\%FQDN%.key -out .\%SITE2SIGN%\%FQDN%.csr

REM Sign the certificate for the client
openssl ca -days 365 -in .\%SITE2SIGN%\%FQDN%.csr -out .\%SITE2SIGN%\%FQDN%.crt -keyfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.key -cert %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -policy policy_anything

REM Export to Public-Key Cryptography Standards (PKCS)
openssl pkcs12 -export -in .\%SITE2SIGN%\%FQDN%.crt -inkey .\%SITE2SIGN%\%FQDN%.key -certfile %ROOTCA%\%ROOTCA_COMPANY_NAME%.crt -out .\%SITE2SIGN%\%FQDN%.p12

  7. Configure OpenSSL

    Copy the file C:\Program Files\Common Files\SSL\openssl.cnf to the RootPath\Certificates directory. Rename the file to SiteDirectory.cnf.

    Open the copied file with a text editor and make the following changes:

    1. Search for [ CA_Default ]. Change the line

      dir = ./demoCA

      to

      dir = ./*SiteName*

      (Change *SiteName* to the SiteName above)

    2. Uncomment (remove the "#") the line (a few lines below):

      copy_extensions = copy

    3. Search for [ req ]. Enter a new line between the lines starting with distinguished_name and attributes:

      emailAddress = *EmailAddress*

      (Change *EmailAddress* to your email address)

    4. Uncomment the line (a few lines below) - leave the inline comment (second hashtag):

      req_extensions = v3_req # The extensions to add to a certificate request

    5. Search for [ req_distinguished_name ]. Change the default country name ("AU") with your country (2 letter ISO code, eg. AT, NL, FR, DE...), eg.

      countryName_default = AT

    6. Change the line

      stateOrProvinceName_default = Some-State

      to your state, e.g.

      stateOrProvinceName_default = Tyrol

    7. Add a line after the line

      localityName = Locality Name (eg, city)

      with a localityName_default setting with the value of the name of your city, eg.

      localityName_default = Innsbruck

    8. Change the line

      0.organizationName_default = Internet Widgits Pty Ltd

      to

      0.organizationName_default = *CompanyName*

      (Change *CompanyName* to your company name)

    9. (optional) Uncomment the line

      organizationalUnitName_default =

      and add a unit name, eg.

      organizationalUnitName_default = IT Department

    10. Add a line after the line

      commonName = Common Name (e.g. server FQDN or YOUR name)

      with a commonName_default setting with the FQDN of your intranet webserver, eg.

      commonName_default = *SiteName*

      (Change *SiteName* to the SiteName above)

    11. Add a line after the line

      emailAddress = Email Address

      with an emailAddress_default setting with your email address, eg.

      emailAddress_default = *EmailAddress*

      (Change *EmailAddress* to your email address)

    12. Search for [ v3_req ]. Add two lines after the line

      keyUsage = nonRepudiation, digitalSignature, keyEncipherment

      with extendedKeyUsage and subjectAltName settings:

      extendedKeyUsage = serverAuth
subjectAltName = DNS:SiteDirectory.your.domain

    13. Search for [ v3_ca ]. Uncomment the two lines

      subjectAltName=email:copy
issuerAltName=issuer:copy

    14. Search for [ tsa_config1 ]. Change the line

      dir = ./demoCA

      to

      dir = ./*SiteName*

      (Change *SiteName* to the SiteName above)

    Save the file and close the editor.

  8. Create Root Certificate

    Open the Win64 OpenSSL Command Prompt and execute

    cd *RootPath*\Certificates
envvar.bat *SiteDirectory*
RootCA.bat new

    (Change *RootPath* and *SiteDirectory* to the appropriate values)

    You will find three files:

    • RootPath\Certificates\RootCA\CompanyName-RootCA.key
    • RootPath\Certificates\RootCA\CompanyName-RootCA.crt

    Copy the .key file to a really really safe place! This certifice is yalid for 10 years, but when you renew it you need the private key file, so don´t loose it!

    To renew the certificate in 10 years, you have to make sure that the .key file is in the RootCA directory, then execute

    RootCA.bat

  9. Create the Client Certificate

    Execute

    ClientCert.bat

    In your ClientCert directory you will find a file called index.txt.attr. Open it with any text editor and change the line

    unique_subject = yes

    to

    unique_subject = no

    Change index.txt.attr

    This allows you to re-generate the client certificate in case anything went wrong.

  10. Webserver

    1. If you have not done all of the above on your webserver, copy two files anywhere to it:

      • RootPath\Certificates\RootCA\CompanyName-RootCA.key
      • RootPath\Certificates\SiteName\SiteName.p12

    2. Start MMC, go to File :: Add/Remove Snap-in..., add Certificate, and select Local computer.

    3. Right click Trusted Root Certification Authorities and go to All tasks :: Import..., select the .crt file and place it in Trusted Root Certification Authorities.

      Import RootCA

    4. Right click Web Hosting and go to All tasks :: Import.... When browsing, select Personal Information Exchange (*.pfx, *.p12) as the file type and select the .p12 file. Select Web Hosting as the certificate store.

      Import Client Certificate

    5. Open IIS Management Console and add a binding to your website:

      Bind certificate to website

  11. Distibute Certificate

    Import the Root CA Certificate to all clients who will browse to the site as described above. In a Domain this can be done using group policies, see Distribute Certificates to Client Computers by Using Group Policy for details.