Requesting SSL and Generation of PFX file in OpenSSL Simple Steps

Requesting SSL License and Generation of PFX file in OpenSSL in a few Simple Steps

I had some real issues when doing this the first time, mainly where I kept importing the crt file I received and it would disappear from IIS 7!

We will try and cover as many bases as possible...

Create a Certificate Request

Some providers can generate this for you, but you can also to this yourself.

I have done this with 123-Reg, but not any other providers yet. Other providers screen shots would be welcome!

In the example below, I have created a wildcard SSL for Claytabase. If you are not creating a wildcard then replace the * with www (or similar) and also used the folder My Documents.

IISExchange Server123-Reg

IIS

Exchange Server

I'm in the process of creating screen shots for this!

You will need to send this off to any of the SSL providers. Your hosting company should have an account and be able to do this for you as well.

123-Reg

I haven't taken screen shots yet, but during the set-up you will then get a download file, unpack to a suitable location, contents should include;

*.{domainname}.{domain}_csr.pem

private-key.key

private-key.password

README

Getting a Certificate

You will at some point receive an Email from the vendor, this is where it may get a bit confusing.

I only have an account with 123-reg, if you could send some details of what is provided by other companies please do!

123 - Reg

-----BEGIN CERTIFICATE-----

Vendor certificate text...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Your certificate text...

-----END CERTIFICATE-----

You should have two certificates, when I did them through 123-reg, the files need to be copied out of the email and into two new text files. If using notepad make sure you use UTF-8 encoding.

Save them in the folder you created for the key.

You now need to open both with Crypto Shell Extensions, double clicking them should open it.

Use the tab Details, and then copy to file

The type is Base-64 encoded X.509 (.cer)

Save one as *.{domainname}.{domain}.cer

And the other as rootca.cer

Spare for other providers

Get Open SSL

Install OpenSSL, you can get it from OpenSSL

Install this to its default location.

{subdomain}.{domainname}.{domain}.cer
rootca.cer
{subdomain}.{domainname}.{domain}.key

Getting a Certificate

Open cmd.exe

You will need to change your directory to the bin folder

cd\ c:\openssl-win32\bin

I ran into a problem with the default location, to change this run the following, thanks to Oneiroi. It will do no harm if you run this anyway!

set openssl_config=C:\openssl-win32\bin\openssl.cfg

I was also struggling to find the right commands in a simple example, thanks to Elgwhoppo for this.

With a Key

openssl pkcs12 –export –out {subdomain}.{domainname}.{domain}.pfx –inkey {subdomain}.{domainname}.{domain}.key –in {subdomain}.{domainname}.{domain}.cer –certfile rootca.cer

You will then be prompted for some passwords, these are as follows;

Pass Phrase, this is the password you created in the beginning
Enter Export Password, this will be a password to import the .pfx file
Verifying – Enter Export Password, confirm your new password

You will now have a new .pfx file in the bin directory.

If you come across any situations that are different then please let me know!