skip to primary navigationskip to content
 

Certificate Generation using OpenSSL

Server 2008 Certificate Generation using open SSL

Windows Server 2008 generates its certificate requests in UTF8 encoded format. This was not a supported format as used by the free Janet Global sign certificates previously provided by the Computing Service. To get around this and to make use of the free Janet certificates at the time we created these instructions to use with IIS7. The new certificates as provide by Comodo can be requested using the certificate request feature in IIS you can still use OpenSSL for Windows on your Server 2008 or 2008 R2 system to generate the certificate request and to convert the certificate so you can import it into IIS.

To start you will need to get OpenSSL for Windows from

You will need a relevant copy of OpenSSL and the Visual C++ 2008 Redistributables. Download and install both on a system.

Once installed open a command shell and navigate to the /bin folder (or set path) and generate your key with the following commands;

  • openssl genrsa -des 2048 > key.pem

You will be prompted for a passphrase for your key file.

Once created you can generate a certificate request with;

  • openssl req -new -key key.pem -out (fqdn of server).csr

You will be promted to enter the passphrase for your private key. There will be a prompt of;

  • Loading screen into a random state -done
  • You are about to be asked to enter information that will be incorporated into your certificate request
  • What you are about to enter is what is called a Distinguished Name or DN
  • There are quite a few fields but you can leave some blank
  • For some fields there will be a default value, if you enter '.' the field will be left blank

Enter the relevant information for the system you are generating the request for, an example entry is shown below. Certain data is fixed for University of Cambridge institutions, these are Country Name, State or Province Name, Locality Name and Organization Name, these fields must be as per the example. Organizational Unit name is the name of your Department or College.

Refer to the instructions at http://www.cam.ac.uk/cs/tlscerts/applying-janet.html

Installing the Certificate in IIS

You will recieve an email from globalsign/UKERNA which will contain multiple certificate types. For this method you must select the .pem certificate. On receipt of your .pem file you will need to convert it to a format that can be imported to IIS7

The email which you receive with the returned certificate also contains links to install the Cybertrust Educational CA, which you should do.

On the system with OpenSSL open a command shell and run the following command (first copying the .pem file to the system)

  • openssl pkcs12 -export -in pemfile -inkey (keyfile name) -out (pfx file name) -name (name for the certificate)

The -name switch isn't essential but will give the certificate a name which is displayed in the IIS server certificate manager.

To install the certificate in IIS7 open the IIS manager, select the server and then Server Certificates. On the right pane there is an Import option. Select this and browse to the saved file, enter in the passphrase and import. You may need to refresh the window to see the imported certificate.