Self-issued SSL Certificates for Servers

Discussion in 'Chit Chat' started by pisthai, Jul 10, 2015.

  1. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    #1 pisthai, Jul 10, 2015
    Last edited by a moderator: Apr 20, 2017
    Self-issued SSL Certificates for Servers


    To clearly say upfront: SSL Certificates could be a costly 'Game'!


    There a lot companies who selling SSL (Secure Sockets Layer) Certificates for to provide secure connections via the Internet and Intranet, as well as even in an LAN (Local Area Network). SSL is an standard security technology which places an encrypted link between an browser and an webserver.


    Those SSL Certificates cost quite a lot and will need to be paid in advance for for at least 1 year and need to be paid again if the SSL Cert will be used for longer peirods.


    There several levels of SSL Certificates called Class:

    • Class 1 for individuals, intended for email.
    • Class 2 for organizations, for which proof of identity is required.
    • Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority.
    • Class 4 for online business transactions between companies.
    • Class 5 for private organizations or governmental security


    As higher the Class, as higher the cost!!


    Except Class1, all other need Identification proof, real Identification proof!


    For to keep the cost low, special for beginners, there is an way for to use Self-issued SSL Certificates free of cost. It has an disadvantage: the users browsing your site will get a warning each time saying that the certificate is not trusted by a known CA and that could scare them away. As long as the user know why that message appears, it wouldn't be a problem because and in fact, the user still connect to an secure site and/or server. Just an Self-issued SSL Certificate isn't recommended for more than just 'private' use! Just, the Self-issued SSL Certificates are great for to learn the basics of secure connections via Internet and Intranet.

    For to use an Self-issued SSL Certificate, you'll need to use an small apps openssl.exe (download from here: https://mega.co.nz/#!VsAxXTQA!fL1jswbE-LI32spG8eEy4IgFkbS97QXFjvOG-r2E7Sg. Extract the archive to the folder of your Server apps. Create using Notepad and textfile called makecert.bat with the following content:

    Code:
    @echo off
    echo ---------------------- Generating SSL Server Key ----------------------
    openssl genrsa -rand efsws_rand.txt -out ServerKey.pem 2048
    echo ------------ Generating self-issued SSL Server Certificate ------------
    openssl req -new -key ServerKey.PEM -out ServerCert.pem -x509 -config openssl.cnf -days 365
    echo -------- SSL Server key and self-issued certificate generated ---------
    Save the file as makecert.bat and run it as Administrator. There will be several questions asked which you could use to provide the infos which should be used. After that's done, 2 files will be created:

    1. your private y as ServerKey.pem
    2. your Self-issued Certificate as ServerCert.pem

    Both file must be on root of your server apps, that's why the RAR Archive should be extracted to there and also the makecert.bat should be located there.

    Note: makecert.bat will create an SSL Cert 2048bit! Also don't forget to set your server for https top port 443 and forward that port in your Router correctly.
    ************************************************************

    If you like to use an CA for to create an Free Class1 (or higher, costly) SSL Certificate, look at https://www.startssl.com which will give you an free SSL for 1 year, which you could extend every year. Be aware by using and CA about the Rules, read all of those BEFORE start using any of the CA SSL Certificates! Even an FRee Class1 Cert could turn quite costly if not handled correctly!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,682
    18,581
    340
    @pisthai

    Instead of using that horribly outdated OpenSSL binary, it would be better to get that from here or here.
     
  3. Myrrh

    Myrrh MDL Expert

    Nov 26, 2008
    1,511
    627
    60
    The thing I like about StartSSL.org is that once I've paid the $60 for class 2, I can generate as many certificates including the weird Exchange multi-domain and wildcard *.domain for as many things as I want to come up with for no additional cost.

    Every other "reputable" organization I've encountered wants you to pay more than that, per certificate, and have silly rules like only allowed to install on one machine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    StartSSL has it's advantage over other CA's! And it's much more cheap as well! Just you have to repay every year for to continue the SSL's as by any other CA's!

    The intention for open this thread were simply about SelfIssued SSL Cert's and NO and Class or Paid SSL's! It's a good way to learn about how SSL's are working, what the rules of it are and so on. I didn't want to suggest any CA or paid SSL in this thread! For my own Company I use paid SSL's, but I started with SelfIssued SSL opn my own Hom,e Server some years ago and it was an good way to get the things to know!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    As I wrote in my answer to the post of Myrrh, my intention were to show a way how to start with and use an SelfIssued SSL Certificate for to learn the basics of Secure Socket Layer works. Sure there will be other versions as I use, better for sure as well, it's just up the the interested user what they chose to use and/or start with.

    Personally, I haven't use SelfIssued SSL's for years now and had just 'bundled' together what I had used in the past and know that would work just fine.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    Regarding Let's Encrypet, they're not launched yet, the schedule is for September! Until then, a lot could still be changed. I wouldn't talk about or sign up about an product which isn't launched yet.

    CACert is an different story. To get an free SSL Cert from them, you're required to join their community and be an active member of it.

    And again, my OP were simply about SelfIssued SSL Certificates and NOT commercial's! Read my other answers for more.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. boss1921

    boss1921 MDL Novice

    Sep 29, 2009
    45
    16
    0
    @Pisthai

    Thanks for the great post. I'm interested in making a certificate for remote desktop using windows RDP. I tried creating and implementing the certificate while making a "secure connection" but didn't pan out. Any good guides for this specific task?
     
  8. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    Just to tell, I haven't use Windows Server for some years already, I mainly use Linux/Unix and Apache/NGIX etc.

    Basicly for to use SSL any Class you'll need an Domain and an server accessible via that Domain. SelfIssued SSL could be used for to us static/fixed IP even on LAN. Also the Port 443 need to be assigned for that Server's and, if use SelfIssued SSL the Port must be properly forwarded in your Router.

    While using Remote Desktop on Windows, at least IIS must be running and properly configured too. In simple words, you have that machine to turn into an Server!

    Fact is, https (secure connection) need an properly installed SSL Certificate on the as Server running Computer. If SSL Cert isn't found while to try to connect via https, the connection is refused and and Error Page will be shown instead. A SelfIssued SSL Cert will also result in showing an Warning Page, because that SSL isn't issued by an CA Company and therefore classified as dangerous, even it isn't, just the target could be accessed.

    I would suggest, if you want to go ahead with RDP and SSL, google for it and you'll get a lot info's, Pro and Con about it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210

    Read this then. The most important part is object identifier - 1.3.6.1.4.1.311.54.1.2
     
  10. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    7,222
    2,272
    240
    Was busy the last days and have now closely checked, with result to change to the latest OpenSSL already.

    Thanks for that.

    And for the readers of OP: Please download the latest version either 32bit and 64bit depend on the Server OS you use, and install and use that new version. I tested and it just works well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. MrChris

    MrChris MDL Addicted

    Jun 23, 2007
    532
    127
    30
    pisthai , Thanks for the post. Your post alone answered a few random questions that I had always had on SSL Certs etc..

    ~MC
     
  12. fbifido

    fbifido MDL Member

    Jun 6, 2007
    199
    26
    10
    #13 fbifido, Aug 17, 2015
    Last edited: Aug 21, 2015
  13. fbifido

    fbifido MDL Member

    Jun 6, 2007
    199
    26
    10
    #14 fbifido, Aug 20, 2015
    Last edited by a moderator: Apr 20, 2017
    Supports SAN/UCC

    go this from
    AnarethoS

    very good info:

    1. now support SAN/UCC (added 21-08-2015)

     
  14. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,354
    2,026
    210