OpenSSL Windows – How to install, use and generate a SSL certificate
OpenSSL can be confusing to many so here is the easy guide on how to use OpenSSL for Windows.
Also how to fix the "WARNING: can’t open config file: /usr/local/ssl/openssl.cnf" error and
how to generate the strongest possible certificate in AES 256 bit!
Note 1 - OpenSSL does not have a GUI (no pretty pictures - its DOS only)
Note 2 - http://www.openssl.org/ is the original source of the software but you will not need this for the Windows version.
1: Open Page (trusted source only) - http://slproweb.com/products/Win32OpenSSL.html
2: Download Win32 OpenSSL v??? (Latest Version - Even if you are using Windows 64bit - it will work anyway) - http://slproweb.com/download/Win32OpenSSL-1_0_1c.exe
3: Download Visual C++ 2008 Redist - http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
4: Install Both
5: Open Command Prompt (DOS) as Administrator (If you don't know how to do this - its probably wise to give up now)
6: Type at prompt: cd c:\openssl-win32\bin (obviously if your folder is not in c:\openssl-win32 then change appropriately)
7: Type at prompt: set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg (if you don't run this line you will get the following error: WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
8: Now you can run OpenSSL with commands like this in the command prompt:
Apache SSL Certificate and Key - General Use:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mywebsitename.key -out mywebsitename.crt
Ref/More Info: http://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
SSL AES 256 Bit Highest Security Level OpenSSL:
openssl genrsa -aes256 -out server.key 2048
openssl req -new -key server.key -sha1 -out myrequest.csr
Ref/More Info: http://www.websense.com/content/support/library/web/v75/ssl_certs/cert_authority.aspx
SSL Certificate for IIS 7 Windows Server
Its long and complicated so read about it here: http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html
Qnap SSL OpenSSL - Generate a SSL Certificate for your NAS Web Server
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out server.crt -x509 -days 365
Open private.key in notepad then copy text into NAS Administration / Security / SSL Secure Certificate & Private Key
Do the same with server.crt file
Click Upload (Even if the text is in the wrong format this will still work but the certificate will not work)
Click Download Certificate
Unzip (2 layered zip) and find 'backup.cert' and rename to 'backup.crt'
Finally import it into your browser (right click file for 'install certificate' option - default yes clicks all the way)
Now you have a nice safe connection that is recognized as secure by your PC!
RSA Key Lengths
384 bit : Weak and useless
512 bit : Still too weak and useless
1024 bit : Secure but crackable
2048 bit : Good option and currently secure (Similar to AES 128 bit)
3072 bit : High level of security and currently very secure
4096 bit : Highest level of security and considered unbreakable
Is a Self Signed Certificate secure? Yes (with a little no), provided you install the correct .crt certificate into your browser and this verifies your connection has not been copied / cloned / man in the middle attacked - then you are good to go - however if you get a security certificate error then you should check for problems.
Online (website generated) Self Signed Certificates may or may not be trustworthy. So I don't recommend them. However here is a possibly trustworthy online generator : http://www.mobilefish.com/services/ssl_certificates/ssl_certificates.php
Commercially signed certificates can also be security flawed for many reasons - so nothing is 100% - personally I like to know I am working with my own certificate that I created...
Also how to fix the "WARNING: can’t open config file: /usr/local/ssl/openssl.cnf" error and
how to generate the strongest possible certificate in AES 256 bit!
Note 1 - OpenSSL does not have a GUI (no pretty pictures - its DOS only)
Note 2 - http://www.openssl.org/ is the original source of the software but you will not need this for the Windows version.
1: Open Page (trusted source only) - http://slproweb.com/products/Win32OpenSSL.html
2: Download Win32 OpenSSL v??? (Latest Version - Even if you are using Windows 64bit - it will work anyway) - http://slproweb.com/download/Win32OpenSSL-1_0_1c.exe
3: Download Visual C++ 2008 Redist - http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
4: Install Both
5: Open Command Prompt (DOS) as Administrator (If you don't know how to do this - its probably wise to give up now)
6: Type at prompt: cd c:\openssl-win32\bin (obviously if your folder is not in c:\openssl-win32 then change appropriately)
7: Type at prompt: set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg (if you don't run this line you will get the following error: WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
8: Now you can run OpenSSL with commands like this in the command prompt:
Apache SSL Certificate and Key - General Use:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mywebsitename.key -out mywebsitename.crt
Ref/More Info: http://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
SSL AES 256 Bit Highest Security Level OpenSSL:
openssl genrsa -aes256 -out server.key 2048
openssl req -new -key server.key -sha1 -out myrequest.csr
Ref/More Info: http://www.websense.com/content/support/library/web/v75/ssl_certs/cert_authority.aspx
SSL Certificate for IIS 7 Windows Server
Its long and complicated so read about it here: http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html
Qnap SSL OpenSSL - Generate a SSL Certificate for your NAS Web Server
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out server.crt -x509 -days 365
Open private.key in notepad then copy text into NAS Administration / Security / SSL Secure Certificate & Private Key
Do the same with server.crt file
Click Upload (Even if the text is in the wrong format this will still work but the certificate will not work)
Click Download Certificate
Unzip (2 layered zip) and find 'backup.cert' and rename to 'backup.crt'
Finally import it into your browser (right click file for 'install certificate' option - default yes clicks all the way)
Now you have a nice safe connection that is recognized as secure by your PC!
RSA Key Lengths
384 bit : Weak and useless
512 bit : Still too weak and useless
1024 bit : Secure but crackable
2048 bit : Good option and currently secure (Similar to AES 128 bit)
3072 bit : High level of security and currently very secure
4096 bit : Highest level of security and considered unbreakable
Is a Self Signed Certificate secure? Yes (with a little no), provided you install the correct .crt certificate into your browser and this verifies your connection has not been copied / cloned / man in the middle attacked - then you are good to go - however if you get a security certificate error then you should check for problems.
Online (website generated) Self Signed Certificates may or may not be trustworthy. So I don't recommend them. However here is a possibly trustworthy online generator : http://www.mobilefish.com/services/ssl_certificates/ssl_certificates.php
Commercially signed certificates can also be security flawed for many reasons - so nothing is 100% - personally I like to know I am working with my own certificate that I created...
No comments:
Post a Comment