OpenSSL Guide

IIS Certificates

Follow this tutorial

Downlad latest version of OpenSSL.

[https://www.firedaemon.com/firedaemon-openssl]

That's the latest version, compiled pretty nicely, supports more aes modes.

Use the next command on Terminal, to create a private key for Your IIS Certificate Request.

Terminal icon.
`

The command being issued, after a while it will ask for a password.

Specify it two times, same password. It'd better be a good alpha numeric with special symbols password, more than 12 characters, at least. Call me crazy, but better safe than sorry.


openssl genrsa -aes256 -f4 -rand .\largefile.iso -out .\ca.key 16384


Got not a single idea why everybody sets this special key to be broken by a rainbow table attack, and specifies without even knowing -des3, instead of -aes256, des3 has been fully cracked and deprecated for example on [https://github.com/pyca/cryptography]

Here is an image about TripleDES.

About AES 256 strength.


openssl genrsa -aes256 -f4 -rand .\largefile.iso -out .\ca.key 16384


More about this command, refer to openssl manual.

[https://docs.openssl.org/1.0.2/man1/genrsa/]

I specify -f4 which is to base of 65537, and the key is 16384 bits long. To make it stranger and adjust the algorithm to my needs. Also I specify a file for more random generated private key.

After that click Windows key or icon, and write IIS

Click on the next icon.

On the root of IIS. Double click on Server Certificates.

Now click on Create Certificate Request.

On the data of the certificate specify exactly what You got on openssl.cnf file. In my case.

Then establish it to Microsoft RSA SChannel Cryptographic Provider, set the key length to the bits of the private key which You desire the most. My private key is set to 16384 bits. Which is way too much for a certificate to break, therefore way slower. Set it to 4096 bits, that is more than enough.

After that save the request in a txt file. See carefully where You save it.

I save the file as requestcert.txt

These are the partial contents of the txt file.

Go back to the Terminal.

After writing two times the password.

The ca.key file will be created.

Now issue this command specifiying on folder the configuration given by yourself in a openssl.cnf file

Get the file on this repository [https://github.com/fochoa8/IIS-Certificate-By-Request/blob/master/openssl.cnf]

Download it and place it in a folder where You create Your own certificates.

In my case.


openssl req -x509 -new -nodes -sha384 -days 365 -key .\ca.key -out .\IISRootCA.crt -config .\openssliis.cnf


Here is the command that follows.


openssl pkcs12 -export -out .\RootCA.pfx -inkey .\ca.key -in .\IISRootCA.crt


Double click RootCA.pfx and open with Shell Crypto Extensions.

In this dialog click Next.

After that the same, click Next.

I use these settings normally.

Click Next. Then select second option and click Browse... select, Trusted Root Certificate Authority folder, as certificate import.

Now click Finish.

It will ask if You want to install the certificate, click Yes.

Now open the file again, do the same steps but in the Browse... step, click on Personal. Then click Next, then Finish.

After that repeat the step, except on first dialog, you are going to select Local Machine.

Then fill this with the same password You entered on last command.

After that place the certificate on Folder named Web Hosting.

Go back to IIS Server now, restart the server.

Now click on Server Certificates.

After that You will see the certificate right there.

Now go to sites and click on Default Web Site. And click on Bindings...

Then click on Add...

Here I only enable TLS in version 1.3 making it harder to crack.

Specify Your own computer name hostname. Mine is razerblade.

Select the SSL Certificate you created.

Check timestamp and expiration date.

If all is working. Press OK. Now Restart the server of Default Web Site.

Then click on the links on IIS on port 443.

This is how it looks fully working.

And finally, the default site.

Key takeaways

Always use top security for Your production servers.

Let's Encrypt option I never use it, but depends on each person, the end user is the one who will be subject to said decisions.

I made this tutorial so as to show You how to create a total custom Certificate on IIS made with OpenSSL.