09 Jul 2009

OpenSSL: Self-Sign SSL Certificate for OWA

ImageI recently had to renew my self-signed SSL certificate used to publish my Outlook Web Access with Microsoft ISA Server 2004. As it’s been a while since I’ve done OWA publishing, I found myself scrambling for information on the internet until I eventually managed to compile this document. As I would like to use this again in the future, I though I'd post it here for reference.

I always used to use the Microsoft Windows Certification Authority to sign my own SSL certificates, but as I don’t really like the way the Windows Certification Authority does things, and I do like the way OpenSSL does things, so I opted to use OpenSSL on good old trustworthy openSUSE Linux to:

  • Create a new Certification Authority that I can use for all my private sites
  • Create a new x509 SSL Certificate to replace the current soon-to-expire SSL certificate in use by my OWA setup.

 Now I used OpenSSL on Linux, but OpenSSL is also available on Windows, so if you would like to use OpenSSL on Windows, you can download it from:

http://www.slproweb.com/products/Win32OpenSSL.html

Let’s get cracking:

On openSUSE 10.2, OpenSSL (if installed) will have its configuration file at /etc/ssl/openssl.cnf

Normally I create a new directory in /etc/ssl/ for every new CA that I create. I now need to create a new Certification Authority (CA) called VirtualVCP Secure Services, so first let’s create the directory for the new CA:

mkdir -p /etc/ssl/virtualvcp-ca/CA

In order to create the new CA and request and sign new certificates with OpenSSL, there’s a handy script bundled with OpenSSL called CA.pl. We now need to copy that CA.pl file to the /etc/ssl/virtualvcp-ca/ directory in order to create the new CA.

cp -pv /usr/share/ssl/misc/CA.pl /etc/ssl/virtualvcp-ca/

Before we can create the new CA, we need to edit the OpenSSL configuration. But first, make a backup copy of the openssl configuration file /etc/ssl/openssl.cnf:

cp -pv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak

Using vi or nano, edit /etc/ssl/openssl.cnf and change the following lines to look like this (Only change the two lines):

dir                  =   ./CA
default_days    =  1825

Save the file and exit the editor.

We now also need to make couple of small changes to the CA.pl file we copied to /etc/ssl/virtualvcp-ca/ directory.

Use vi or nano to edit /etc/ssl/virtualvcp-ca/CA.pl and change the following lines to look like this:

$DAYS=”-days 1825”;
$CADAYS=”-days 3650”;
$CATOP=”./CA”;

Save the file and exit the editor

Now we can go ahead with creating the new Certification Authority:

cd /etc/ssl/virtualvcp-ca
./CA.pl -newca
Press
Enter a passphrase that will be used to sign new certificate requests. Don’t forget what you’ve entered here, otherwise you won’t be able to sign new certificates with this CA.
Re-enter the passphrase.

The following information entered will be included in your CA Certificate.

Enter Country Code: GB
Enter State or Province Name: Hertfordshire
Locality: Broxbourne
Organization Name: VirtualVCP Secure Services
Organizational Unit Name:
Secure Hosting Services
Common Name: VirtualVCP Secure Services
Challenge Password:
Optional Company Name: []
Enter Passphrase

The CA sis now created and ready to sign Certificate Requests from /etc/ssl/virtualvcp-ca/CA/

Open SSL has now placed all the files for the new Certification Authority in:

/etc/ssl/virtualvcp-ca/CA

The new CA Certificate is located at:

/etc/ssl/virtualvcp-ca/CA/cacert.pem

In order to securely import the new CA certificate into the Trusted Root Certification Authorities Store in Windows, we would want this file to be in DER (.cer) format. We now have to export the cacert.pem file: 

cd /etc/ssl/virtualvcp-ca/CA
openssl -outform DER -in ./cacert.pem -out ./cacert_virtualvcp.cer

This cacert_virtualvcp.cer file can now be copied to and imported into the Trusted Root Certification Authorities Store in Windows. This is also the file that all clients will have to import into their Trusted Root Certification Authorities store in order for the client to trust certificates signed by this new CA.

Now that we have our new Certification Authority Set up, we can request a new certificate from the new CA: 

cd /etc/ssl/virtualvcp-ca
./CA.pl -newreq
Enter a passphrase for the private key (Don’t ever forget what you’ve entered!)
Re-enter the passphrase

The following information entered will be included in your signed certificate 

Enter Country Name: GB
State or Province Name:
Hertfordshire
Locality Name:
Broxbourne
Organisation Name:
SpiesR Secure Hosting
Organisational Unit Name:
Secure Hosting
Common Name(this must match the website name that will use the new certificate):
webmail.spiesr.com
Email Address:
This email address is being protected from spambots. You need JavaScript enabled to view it.
Challenge Pass: blank
Optional Company name: blank

 

Once the request has been created we can use the CA to sign the new certificate request:

cd /etc/ssl/virtualvcp-ca/
./CA.pl -sign

Enter the CA’s Passphrase
Review Information in the certificate request. If Happy, sign by pressing y y

 

Get organised!

Create a new directory to file away the new certificate files:

mkdir -p /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/

Move the certificate files generated to that new directory: 

cd /ssl/virtualvcp-ca
mv ./*.pem ./signed/spiesr.com/webmail.spiesr.com/

Rename them to more appropriate names:

cd /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/
mv ./newcert.pem ./cert_webmail.spiesr.com.pem
mv ./newkey.pem ./key_webmail.spiesr.com.pem
mv ./newreq.pem ./req_webmail.spiesr.com.pem

So, the new self signed x509 SSL certificate is now located at:

/etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/cert_webmail.spiesr.com.pem

OpenSSL creates certificate file in with the .pem extension.  As we did with the CA certificate, we can export these files to DER (.cer) files for use within Windows.

For use with publishing Outlook Web Access with ISA Server, we need to export two versions of this cert_webmail.spiesr.com.pem file. The first version is in DER format. The second version is a PKCS#12  file (.pfx) and should be handled with extreme care and confidence  as it will contain the certificate as well as the private key. This is the file needed for publishing Outlook Web Access with Microsoft ISA Server.

Export the cert_webmail.spiesr.com.pem file to a DER (.cer) file:

cd /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/
openssl x509 -outform DER -in ./cert_webmail.spiesr.com.pem -out ./cert_webmail.spiesr.com.cer

Now Export the Certificate and Private Key in the same file (PKCS#12): 

openssl pkcs12 -export -out ./pk_cert_webmail.spiesr.com.pfx -inkey ./key_webmail.spiesr.com.pem -in cert_webmail.spiesr.com.pem
Enter the passphrase for the key_webmail.spiesr.com.pem file (this was specified when the certificate request was submitted to the new CA):
Enter the new export password:
Re-enter Export Password:

 

There is now a new file called pk_cert_webmail.spiesr.com.pfx. This is the file you will have to import into the computer account’s personal certificate store in order to publish Outlook Web Access with ISA Server. Once imported into you Exchange server and ISA server, delete all copies of this file from the Windows Servers as well as the OpenSSL server. You can always export the certificate and key again if need be.

Written by  0 comment
Last modified on Tuesday, 09 December 2014 15:14
Rate this item
(0 votes)

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest. Sign up or login to your account.
0 Characters
Attachments (0 / 3)
Share Your Location

@mo6020 Ah man! London tourists are the worst! Especially with their damn cameras at 5pm on the Millennium Bridge!
Follow Rynardt Spies on Twitter