DEV Community

Cover image for Make IIS Certificate based on request.
Fernando Ochoa Olivares
Fernando Ochoa Olivares

Posted on

Make IIS Certificate based on request.

OpenSSL Guide

Image description

IIS Certificates

Image description

Follow this tutorial

Downlad latest version of OpenSSL.

[https://www.firedaemon.com/firedaemon-openssl]

That's the latest version, compiled pretty nicely, supports more aes modes.

Use the next command on Terminal, to create a private key for Your IIS Certificate Request.

Terminal icon.
`
Image description

The command being issued, after a while it will ask for a password.

Image description

Specify it two times, same password. It'd better be a good alpha numeric with special symbols password, more than 12 characters, at least. Call me crazy, but better safe than sorry.

Image description


openssl genrsa -aes256 -f4 -rand .\largefile.iso -out .\ca.key 16384

Got not a single idea why everybody sets this special key to be broken by a rainbow table attack, and specifies without even knowing -des3, instead of -aes256, des3 has been fully cracked and deprecated for example on [https://github.com/pyca/cryptography]

Here is an image about TripleDES.

Image description

About AES 256 strength.

Image description


openssl genrsa -aes256 -f4 -rand .\largefile.iso -out .\ca.key 16384

More about this command, refer to openssl manual.

[https://docs.openssl.org/1.0.2/man1/genrsa/]

I specify -f4 which is to base of 65537, and the key is 16384 bits long. To make it stranger and adjust the algorithm to my needs. Also I specify a file for more random generated private key.

Image description

After that click Windows key or icon, and write IIS

Click on the next icon.

Image description

On the root of IIS. Double click on Server Certificates.

Image description

Now click on Create Certificate Request.

Image description

On the data of the certificate specify exactly what You got on openssl.cnf file. In my case.

Image description

Then establish it to Microsoft RSA SChannel Cryptographic Provider, set the key length to the bits of the private key which You desire the most. My private key is set to 16384 bits. Which is way too much for a certificate to break, therefore way slower. Set it to 4096 bits, that is more than enough.

Image description

After that save the request in a txt file. See carefully where You save it.

Image description

I save the file as requestcert.txt

Image description

These are the partial contents of the txt file.

Image description

Go back to the Terminal.

After writing two times the password.

The ca.key file will be created.

Now issue this command specifiying on folder the configuration given by yourself in a openssl.cnf file

Get the file on this repository [https://github.com/fochoa8/IIS-Certificate-By-Request/blob/master/openssl.cnf]

Image description

Download it and place it in a folder where You create Your own certificates.

In my case.


openssl req -x509 -new -nodes -sha384 -days 365 -key .\ca.key -out .\IISRootCA.crt -config .\openssliis.cnf

Image description

Here is the command that follows.


openssl pkcs12 -export -out .\RootCA.pfx -inkey .\ca.key -in .\IISRootCA.crt

Image description

Double click RootCA.pfx and open with Shell Crypto Extensions.

Image description

In this dialog click Next.

Image description

After that the same, click Next.

Image description

I use these settings normally.

Image description

Click Next. Then select second option and click Browse... select, Trusted Root Certificate Authority folder, as certificate import.

Image description

Image description

Now click Finish.

Image description

It will ask if You want to install the certificate, click Yes.

Image description

Image description

Now open the file again, do the same steps but in the Browse... step, click on Personal. Then click Next, then Finish.

Image description

Image description

After that repeat the step, except on first dialog, you are going to select Local Machine.

Image description

Then fill this with the same password You entered on last command.

Image description

After that place the certificate on Folder named Web Hosting.

Image description

Go back to IIS Server now, restart the server.

Image description

Now click on Server Certificates.

Image description

After that You will see the certificate right there.

Image description

Now go to sites and click on Default Web Site. And click on Bindings...

Image description

Then click on Add...

Here I only enable TLS in version 1.3 making it harder to crack.

Specify Your own computer name hostname. Mine is razerblade.

Select the SSL Certificate you created.

Image description

Check timestamp and expiration date.

Image description

If all is working. Press OK. Now Restart the server of Default Web Site.

Image description

Then click on the links on IIS on port 443.

Image description

This is how it looks fully working.

Image description

Image description

Image description

Image description

Image description

And finally, the default site.

Image description

Key takeaways

Always use top security for Your production servers.

Let's Encrypt option I never use it, but depends on each person, the end user is the one who will be subject to said decisions.

I made this tutorial so as to show You how to create a total custom Certificate on IIS made with OpenSSL.

Top comments (0)