Using SSLeay to generate site and client certificates for Microsoft Internet Information Server

Using SSLeay to generate site and client certificates
for Microsoft Internet Information Server

Phillip Wherry
12 January 1997

Overview

This document describes the process for creating one's own certificate authority (CA), then using that CA to sign key requests for Microsoft's Internet Information Server (IIS) on Windows NT. The software used to do this is distributed as part of the SSLeay freeware SSL implementation. This document assumes that you've already successfully compiled SSLeay, and the configuration file is in the standard location, /usr/local/ssl/lib/ssleay.cnf.

Step 1: Construct a Certificate Authority

Use the command:

req –config /usr/local/ssl/lib/ssleay.cnf –x509 –new –days 365 >cacert.pem

(This will build a new self-signed CA certificate which expires in a year. It also generate an encrypted private key file, privkey.pem)

Step 2: Extract a DER-format copy of the newly-created CA’s public key.

x509 –inform pem –outform der <cacert.pem >cacert.der

Now copy the .der file to a Web server document directory. You may want to rename it to end in .cct or .cacert. The Web server needs to be configured to deliver these files as MIME type application/x-x509-ca-cert in order for the user’s Web browser to figure out what’s going on.

To do this, look in the registry at:

HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Services
\InetInfo
\Parameters
\MimeMap

Add a REG_SZ key with a key name of:

application/x-x509-ca-cert,cct,,5 and a null value.

Note that there are two commas before the number 5 (which is the Gopher type for this object).

It’s necessary to stop and restart the WWW server (if not reboot) to make this take effect. I had trouble getting the change to be recognized until I rebooted.

Step 3: Generate the key request

Use the IIS Key Manager to generate a key request. It’s very important that the "Server name" field be filled in with the DNS name of the machine, otherwise the generated key won’t work. A .req file will result; for this example, we’ll assume it’s called key.req.

Step 4: Sign the key

x509 –req –CAcreateserial –CA cacert.pem –CAkey privkey.pem –days 365 –in key.req –out key.cert

Step 5: Install the key

Using the IIS Key Manager, install the key certificate.

Step 6: Verify using a browser.

First, download the CA certificate from the Web browser. Once installed in your browser, you should be able to use an https:// URL to access the site.

[Home page] - Phillip Wherry - psw@wherry.com