Home / server / Questions / 355407
In Process
Ian Murphy
Asked: 2012-02-01 05:42:08 +0800 CST

SSL certificate generated with openssl doesn't have certification root

  • 772

I'm trying to set up a script to generate SSL certificates for use with IIS. I'm trying to get certificates signed by a an self signed CA cert to work. I'm 99% there but something is sill wrong. This is for use with MSExchange SSL certs. I want to have long life self signed certificates and to have a root cert which I can install on devices like smartphones which will allow me to trust other certs I have signed with it, like SSL certs.

This is what I'm doing:

/// create a private root cert
openssl genrsa -des3 -out work\Private-CA.key 2048 

openssl req -new -x509 -days 3650 
    -key work\Private-CA.key
    -out work\Public-CA.CRT

/// Create an SSL cert request
openssl genrsa -des3 -out work\Certificate-Request.key 2048 

openssl req -new 
    -key work\Certificate-Request.key
    -out work\SigningRequest.csr

/// Sign the request with the root cert
openssl x509 -req -days 3650 -extensions v3_req 
    -in work\SigningRequest.csr
    -CA work\Public-CA.CRT
    -CAkey work\Private-CA.key
    -CAcreateserial 
    -out work\SSL-Cert-signed-by-Public-CA.CRT

The first 4 commands seem to be fine. The final command is generating a certificate which has the attributes I want.

I import the Public-CA.CRT into the machine Store as a trusted root certificate. I then use exchanges import-exchangecertifiate cmdlet to try and import SSL-Cert-signed-by-Public-CA.CRT. This fails with a message saying that the certificate is not trusted.

It would appear it is not being signed. If I import the ssl cert into to machine personal store, it also indicates that it doesn't have a certification route.

Can anyone with a better knowledge of this see what I'm missing?

As an aside: Is there any way, from the command line, of asking openssl if Certificate X has been signed by Certificate Y? This should work but doesn't:

openssl verify  -cafile Public-CA.CRT SSL-Cert-signed-by-Public-CA.CRT
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
       sslclient       SSL client
       sslserver       SSL server
       nssslserver     Netscape SSL server
       smimesign       S/MIME signing
       smimeencrypt    S/MIME encryption
       crlsign         CRL signing
       any             Any Purpose
       ocsphelper      OCSP helper

adding -purpose doesn't make matters any better.

windows-server-2008 openssl

1 Answers

  1. You should be importing the CA's public key, not the private key, into the trusted roots store - the private key should never leave your CA.

    Trust the CA's public key, and Exchange should then have no problem importing the newly generated certificate.. though, it sounds like you're only giving it the public key and not the Certificate-Request.key file?

    I'd recommend generating the certificate signing request from the Microsoft tools on the Exchange server then signing it on the CA - or if you don't do that, at least package the key and certificate pair in a PKCS12 file to feed to the Exchange cmdlet, as it looks like that's the format it wants to use for any import of a private key:

    openssl pkcs12 -export -out work\Exchange-Cert-Package.pfx -in work\SSL-Cert-signed-by-Public-CA.CRT -inkey work\Certificate-Request.key
    • 1