Thursday, September 1, 2011

Creating certificates with SANs using OpenSSL

IIS 7 provides some easy to use wizards to create SSL certificates, however not very powerful ones. What I needed to do was to create SSL certificates that included a x.509 V3 extension, namely subject alternative names, a.k.a SANs. What SANs do is allow the website certificate to validate incoming requests by more than one URL domain name. This is really important when the web server is running web services such as WCF services and when other web services connect to them over SSL connections as with service oriented architectures. Unless special code is added to the web services to override the default SSL validation handler routines, the common name (CN) of the certificate MUST match the incoming request URL domain. So if the request was made using an FQDN, the certificate must have the FQDN as a CN or a SAN, a IP address or just a hostname will cause an SSL validation error and the connection will fail.

SANs to the rescue… SANs support, among other things, DNS names and IP addresses. So by creating the certificate with SANs of the server FQDN and IP address, it increases the ways that other web services can connect.

There are a number of tools that can generate certificates: makecert.exe, keytool.exe (java), selfssl.exe and openssl.exe. In addition, starting with Windows Vista and Server 2008 Microsoft added the CertEnroll API which can also create certificates programmatically either through COM interfaces.

OpenSSL ended up doing exactly what I needed it to do. The process was fairly straight forward.

1) Construct an OpenSSL config file.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = Somewhere
O = MyOrg
OU = MyOU
CN = MyServerName
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = MyServerName
DNS.2 = 10.0.1.34
IP.1 = 10.0.1.34
IP.2 = 192.167.20.1

2) Create x509 request with OpenSSL

openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

3) Create a PFX containing the keypair

openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

4) Import the PFX into IIS using the import link in the server certificates area.

5) Bind the certificate to the IIS websites.

And viola, we know have a SSL certificate for IIS with SANs so we can connect using multiple domain names without certificate validation errors.

2 comments:

  1. Nice article, but when I run the export command I get a error that OpenSSL is no longer responding and the PFX file it creates is 0KB. Just curious if you'd seen that before.

    Thanks!

    ML

    ReplyDelete
  2. Nevermind, I had the x86 version installed on my computer instead of the x64 version.

    ML

    ReplyDelete