How to create Your Own Cert With OpenSSL on Windows

Howto: Make Your Own Cert With OpenSSL on Windows

Courtesy — Mr. Didier Stevens https://blog.didierstevens.com/

For your info: The author of this document Mr.Stevens have a video showing this howto.
First of all, on Windows you will need to install OpenSLL from binaries. I got these binaries.
I installed the latest version (v1.0.2a) and choose the 32-bit version (Win32). I choose the 32-bit version because this will work for every Windows machine: the 32-bit version works on 32-bit and 64-bit machines.
If you start the installation and get the following message:
20150322-214636
then you need to cancel the installation and install the Visual C++ 2008 Redistributables first. You can find download links on the same page. If you install Win32 OpenSSL (32-bit), install Visual C++ 2008 Redistributables, and if you install Win64 OpenSSL (64-bit), install Visual C++ 2008 Redistributables (x64).
The installation of the Redistributables is easy:
20150322-214721
20150322-214824
After this, you can restart the OpenSSL installation:
20150322-214846
20150322-214856
20150322-214906
20150322-214915
20150322-214936
20150322-214947
20150322-215041
20150322-215052
I will create the certificates in folder c:\demo. So go ahead and create this folder on your machine.
Then start a command-line prompt (cmd.exe), and go to the demo folder (type: cd \demo).
Before you start OpenSSL, you need to set 2 environment variables:
set RANDFILE=c:\demo\.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
20150329-131855
Now you can start OpenSSL, type: c:\OpenSSL-Win32\bin\openssl.exe:
20150329-132229
And from here on, the commands are the same as for my “Howto: Make Your Own Cert With OpenSSL”.
First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
genrsa -out ca.key 4096
20150329-133539
If you want to password-protect this key, add option -des3.
Next, we create our self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:
req -new -x509 -days 1826 -key ca.key -out ca.crt
20150329-134436
The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.
Next step: create our subordinate CA that will be used for the actual signing. First, generate the key:
genrsa -out ia.key 4096
20150329-134753
Then, request a certificate for this subordinate CA:
req -new -key ia.key -out ia.csr
20150329-135132
Make sure that the Common Name you enter here is different from the Common Name you entered previously for the root CA. If they are the same, you will get an error later on when creating the pkcs12 file.
Next step: process the request for the subordinate CA certificate and get it signed by the root CA.
x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
20150329-135708
The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.
That’s all there is to it! Of course, there are many options I didn’t use. Consult the OpenSSL documentation for more info. For example, I didn’t restrict my subordinate CA key usage to digital signatures. It can be used for anything, even making another subordinate CA. When you buy a code signing certificate, the CA company will limit its use to code signing. And I did not use passwords to protect my keys. In a production environment, you want to protect your keys with passwords.
To use this subordinate CA key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file:
pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
20150329-135931
If you did not provide a different Common Name for the root CA and the intermediate CA, then you’ll get this error:
Error self signed certificate getting chain.
error in pkcs12
To sign executables in Windows with the signtool: install file ia.p12 in your certificate store (e.g. double click it), and then use signtool /wizard to sign your PE file.
The certificates (.crt files) you created here can also be double-clicked in Windows to view/install them:
20150329-141511

Comments

Post a Comment

Popular posts from this blog

CDbConnection failed to open the DB connection mysql 8

Image
While accessing web configured with mysql 8 and php and you see the following error: CDbConnection failed to open the DB connection: SQLSTATE[HY000] [2054] The server requested authentication method unknown to the client OR  PHP Fatal error:  Uncaught PDOException: PDO::__construct(): The server requested authentication method unknown to the client [caching_sha2_password]  It maybe due to  PHP devs might have not implemented the MySQL's 8.0 connection protocol ( auth with caching_sha2_password ) within the newer PHP versions. If you want to use mysql >= 8 and you dont care about caching_sha2_password,  If you are running a fresh install of mysql 8, just select the second option as shown in the image. Otherwise, you need to  configure MySQL 8.0 to run in mysql_native_password mode. As it can't configured in my.cnf, change the user profile as:- ALTER USER 'mysqlUsername'@'localhost' IDENTIFIED WITH mysql_native_password BY 'mysqlUs...
Read more

/bin/sh^M: bad interpreter: No such file or directory Linux

While running a script in Linux, if you encounter an error such as : /bin/sh^M: bad interpreter: No such file or directory The error is due to incorrect format of the script. Most probably when the script is created in Windows and transferred to Linux. The script might have a dos line ending file. The clue is the ^M Inorder to resolve this error: Open the script in Linux using vim editor,  enter in vi command mode (key ESC), then type this: : set fileformat = unix   Finally save it :x! or :wq! Thats it! Try running the script again and the error would have disappeared.  
Read more

Send mail from Oracle Solaris OS with attached files

To send mail from Solaris, use this syntax echo "some text to send" | mailx -s "subject of email" recipient's@address Or, if you have body of email in some file: mailx -s "subject of email" recipient's@address < some_file.txt If you want to send mails with zip files of image files use the following formats: uuencode reports.tar.gz reports.tar.gz | mailx -s "My Report" you@domain.com     uuencode office.jpeg office.jpeg | mail -s "Subject" you@domain.com   If you need to send multiple attachments in single mail:   $ uuencode r1.tar.gz r1.tar.gz > /tmp/out.mail $ uuencode r2.tar.gz r3.tar.gz >> /tmp/out.mail $ uuencode r3.tar.gz r3.tar.gz >> /tmp/out.mail $ cat email-body.txt >> /tmp/out.mail $ mail -s "Reports" you@domain.com < /tmp/out.mail            
Read more