How to setup a self signed SSL certificate on IIS6 using OpenSSL on a Windows 2003 server

Per request, I threw together a couple of quick videos on this topic:

Part 1 of 3

Part 2 of 3

STEP 1. –> openssl genrsa -des3 -out server.key 2048
The ‘genrsa’ command generates a 2048 bit RSA private key with a triple DES cipher.

STEP 2. –> openssl req -new -key server.key -out server.csr
The ‘req’ command creates and processes certificate requests. In this statement the ‘req’ command will
create a new certificate request file name server.csr using the private.key file generated in the previous step.

Now that we’ve created a CSR (Certificate signing request), we need to self-sign the request. Normally, you would pay a trusted 3rd party security company such as Verisign, Thawte (Pronounced “Thought”), GeoTrust, or GoDaddy to process/sign your certificate request file and return you a signed certificate that you’d install on your web server or load balancer. In this case, we’re going to self-sign the certifice, in essence becoming our own Certificate Authority.

STEP 3. –> openssl genrsa -des3 -out ca.key 2048
The ‘genrsa’ command generates a 2048 bit RSA private key with a triple DES cipher.

STEP 4. –> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
This command creates a self signed Certificate Authority certificate using the RSA private key generated in the previous step.

STEP 5. –> openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
This command will sign the server certificate request file (from STEP. 2) and output a self signed certificate file that is valid for 365 days.

STEP 6. –> openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -name “MyTestCert”
This command will convert the server certificate from PEM Format (or ASCII format) to PFX Format (Microsoft binary format)
However, the tradeoff is that this command does expose your CAs private key, so just be aware of that.

Part 3 of 3