Home / server / Questions / 1002185
Accepted
bug_2
Asked: 2020-02-08 03:50:55 +0800 CST

Generate end-entity certificate with OpenSSL for localhost on IIS

  • 772

I would like to ask how to generate end entity certificate based on my own CA root certificate? I've generated root CA this way:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
    -keyout example.key -out example.crt -subj /CN=MyCompany \
    -addext subjectAltName=IP:192.168.100.82

openssl pkcs12 -export -out cert.pfx -inkey example.key -in example.crt

I have imported cer file to Windows Trusted Root Certification Authorities and pfx file into IIS Server Certificates.

It works well with Chrome, IE and Edge, but Firefox reports a problem with my cert: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY

I googled it and I learnt that I should have end-entity cert signed by my CA root cert. I was trying to generate end-entity cert with:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj /CN=MyCompanyEE -addext subjectAltName=IP:192.168.100.82
openssl x509 -req -in server.csr -CA cert.pem -CAkey example.key -CAcreateserial -out server.crt -days 3650 -sha256
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

OpenSSL response:

Signature ok
subject=CN = MyCompanyEE
Getting CA Private Key

I have imported server.pfx into IIS Server Certificates too, and changed bindings for my web app to use server cert, but now it doesn't work in either Firefox or Chrome.

Firefox says: SSL_ERROR_BAD_CERT_DOMAIN,

Chrome says: NET::ERR_CERT_COMMON_NAME_INVALID.

What I'm doing wrong?

ssl-certificate openssl iis-10 self-signed-certificate

1 Answers

  1. Best Answer

    I wasn't able to generate certificate with OpenSSL for local website (available in intranet at 192.168.100.82:997) so - according to @Crypt32 advice - I changed approach and I've used PowerShell. You can find my working solution below:

    1. Run PowerShell as administartor.

    2. Use below code for generating selfsigned root authority (MyCompany CA) and server (MyCompany) certificates:

      $authorityCert = New-SelfSignedCertificate `
-Subject "CN=MyCompany CA,OU=IT,O=MyCompany Certificate Authority,C=US" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-KeyUsage CertSign, CRLSign, DigitalSignature, KeyEncipherment, DataEncipherment `
-KeyExportPolicy Exportable `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-HashAlgorithm SHA256 `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "MyCompany CA" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.19={critical}{text}ca=1")

$devCert = New-SelfSignedCertificate `
-Subject "CN=MyCompany,OU=App Test,O=MyCompany,C=US" `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
-KeyExportPolicy Exportable `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(10) `
-HashAlgorithm SHA256 `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "MyCompany" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1", "2.5.29.17={text}IPAddress=192.168.100.82") `
-Signer $authorityCert

$directory = "C:\Users\bug_2\Certificates\"
if(!(test-path $directory))
{
  New-Item -ItemType Directory -Force -Path $directory
}
$authorityCertPath = 'Cert:\LocalMachine\My\' + ($authorityCert.ThumbPrint)
$authorityCertFilename = $directory + "Authority.cer"
Export-Certificate -Cert $authorityCertPath -FilePath $authorityCertFilename
$devCertPath = 'Cert:\LocalMachine\My\' + ($devCert.ThumbPrint)
$devCertFilename = $directory + "Dev.cer"
Export-Certificate -Cert $devCertPath -FilePath $devCertFilename

    3. Add root certificate to Trusted Root Certification Authorities in your system by press WIN+R, type: mmc, hit ENTER. In Microsoft Management Console choose File->Add or Remove Snap-ins and then, in new window, Certificates -> Add -> OK. Expand Certificates->Trusted Root Certification Authorities. Right click on Certificates catalog placed inside Trusted Root Certification Authorities and choose All Tasks->Import... and select Authority.cer file from C:\Users\bug_2\Certificates\. Apply changes and close Microsoft Management Console.

    4. You can finds your new certificates (root and server) in IIS without any extra steps. Choose your website in IIS, click Bindings...->Edit and select server certificate (MyCompany). Apply changes.

    5. My website is available now at https://192.168.100.82:997 on every web browsers (like Chrome, IE, Edge) except Firefox. For fix that run Firefox, type about:config in address bar and set security.enterprise_roots.enabled to true. Restart Firefox.

    Now my localwebsite is available in intranet at https://192.168.100.82:997.

    • 1