Using OpenSSL to Request and Install an SSL Certificate

Recently I've needed to request a new SSL certificate for a website running on IIS6. The existing website has a certificate that I'm looking to replace, but as this was originally generated as a 1024-bit certificate, I cannot prepare a new request for the website through the IIS6 tools - I can only renew it.

Making & Testing the Certificate Request

Using OpenSSL to prepare the certificate request is simple, I'm running it on my Mac, but any piece of kit with OpenSSL installed will suffice.

openssl req -new -newkey rsa:2048 -nodes -keyout mycert_key.pem -out mycert_request.pem

Executing this will then request information about the certificate (i.e. Friendly/Common Name; Country/Region; State/Province; City; Organisation & Organisational Unit). Once run, both the private key and certificate request are saved to disk. You should send the certificate request to the issuing authority, keeping the private key safe, as you'll need this upon receipt of the certificate.

You can test that certificate's validity, and view the textual information contained within the certificate, by running the following statements:

openssl req -in mycert_request.pem -noout -verify -key mycert_key.pem
openssl req -in mycert_request.pem -noout -text

Chaining the Supplied Certificate with Intermediate Certificates

When you receive your certificate back from the issuing authority, you'll more-than-likely need to include any intermediate certificates - these join the trust relationship from the authority back to automatically trusted certificates installed within your web browser.

Assuming that you have a certificate (mycert.pem) and two intermediate certificates (mycert_int1.pem & mycert_int2.pem), the following will combine them into a single certificate, which we will later use with our private key (mycert_key.pem):

cat mycert.pem mycert_int2.pem mycert_int1.pem > mycert_chain.pem

Notice that this is done in reverse order, with the final intermediate certificate providing the final link back to the browser's accepted root certificate.

Testing the Received Certificate Against the Original Request and Private Key

Once you have received your certificate back from the issuing authority, you will want to check that the public portion of the keys match the private key used to generate the request:

openssl x509 -noout -modulus -in mycert.pem | openssl md5
openssl rsa -noout -modulus -in mycert_key.pem | openssl md5

The output of each command will be a portion of the public key - if the certificate matches the key, the values will be identical. In the event of the certificate and private key portions not matching, you can check the original certificate request:

openssl req -noout -modulus -in mycert_request.pem | openssl md5

Building the PKCS#12 File from Certificate & Private Key

Now that we have both the certificate and private key, we may want to combine the two into a single file. OpenSSL can do this, as follows:

openssl pkcs12 -export -out mycert.pfx -inkey mycert_key.pem -in mycert.pem

This file can then be imported into IIS.

Useful Tips: Exporting Certificate & Key from PFX File

Assuming that you have a PFX file (generally exported from within IIS), and you want to export both the certificate and private key, you can issue the following:

openssl pkcs12 -in ./mycert.pfx -clcerts -nokeys -out mycert.pem
openssl pkcs12 -in ./mycert.pfx -nocerts -nodes -out mycert_key.pem

Useful Tips: Issuing a Self-Signed Certificate for Development

Occasionally you may need to test your application using a certificate, but don't want to go through the costly exercise of purchasing development certificates. OpenSSL can be used to generate a self-signed certificate, which will for all intents and purposes behave in the same way as a purchased certificate - with the exception that you may receive trust warnings if you haven't explicitly trusted the certificate on each machine you view upon.

openssl genrsa -out mycert.key 2048
cp mycert.key mycert.key.old
openssl rsa -in mycert.key.old -out mycert.key
openssl req -new -x509 -nodes -sha1 -days 9999 -key mycert.key -out mycert.crt

You can then delete the mycert.key.old file as it is no-longer required.