Self-issued SSL Certificates for Servers To clearly say upfront: SSL Certificates could be a costly 'Game'! There a lot companies who selling SSL (Secure Sockets Layer) Certificates for to provide secure connections via the Internet and Intranet, as well as even in an LAN (Local Area Network). SSL is an standard security technology which places an encrypted link between an browser and an webserver. Those SSL Certificates cost quite a lot and will need to be paid in advance for for at least 1 year and need to be paid again if the SSL Cert will be used for longer peirods. There several levels of SSL Certificates called Class: Class 1 for individuals, intended for email. Class 2 for organizations, for which proof of identity is required. Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority. Class 4 for online business transactions between companies. Class 5 for private organizations or governmental security As higher the Class, as higher the cost!! Except Class1, all other need Identification proof, real Identification proof! For to keep the cost low, special for beginners, there is an way for to use Self-issued SSL Certificates free of cost. It has an disadvantage: the users browsing your site will get a warning each time saying that the certificate is not trusted by a known CA and that could scare them away. As long as the user know why that message appears, it wouldn't be a problem because and in fact, the user still connect to an secure site and/or server. Just an Self-issued SSL Certificate isn't recommended for more than just 'private' use! Just, the Self-issued SSL Certificates are great for to learn the basics of secure connections via Internet and Intranet. For to use an Self-issued SSL Certificate, you'll need to use an small apps openssl.exe (download from here: https://mega.co.nz/#!VsAxXTQA!fL1jswbE-LI32spG8eEy4IgFkbS97QXFjvOG-r2E7Sg. Extract the archive to the folder of your Server apps. Create using Notepad and textfile called makecert.bat with the following content: Code: @echo off echo ---------------------- Generating SSL Server Key ---------------------- openssl genrsa -rand efsws_rand.txt -out ServerKey.pem 2048 echo ------------ Generating self-issued SSL Server Certificate ------------ openssl req -new -key ServerKey.PEM -out ServerCert.pem -x509 -config openssl.cnf -days 365 echo -------- SSL Server key and self-issued certificate generated --------- Save the file as makecert.bat and run it as Administrator. There will be several questions asked which you could use to provide the infos which should be used. After that's done, 2 files will be created: your private y as ServerKey.pem your Self-issued Certificate as ServerCert.pem Both file must be on root of your server apps, that's why the RAR Archive should be extracted to there and also the makecert.bat should be located there. Note: makecert.bat will create an SSL Cert 2048bit! Also don't forget to set your server for https top port 443 and forward that port in your Router correctly. ************************************************************ If you like to use an CA for to create an Free Class1 (or higher, costly) SSL Certificate, look at https://www.startssl.com which will give you an free SSL for 1 year, which you could extend every year. Be aware by using and CA about the Rules, read all of those BEFORE start using any of the CA SSL Certificates! Even an FRee Class1 Cert could turn quite costly if not handled correctly!
Free Internet SSL coming ..... https://letsencrypt.org/ https://letsencrypt.org/2015/06/16/lets-encrypt-launch-schedule.html Free CA here: http://www.cacert.org/ Thanks.
@pisthai Instead of using that horribly outdated OpenSSL binary, it would be better to get that from here or here.
The thing I like about StartSSL.org is that once I've paid the $60 for class 2, I can generate as many certificates including the weird Exchange multi-domain and wildcard *.domain for as many things as I want to come up with for no additional cost. Every other "reputable" organization I've encountered wants you to pay more than that, per certificate, and have silly rules like only allowed to install on one machine.
StartSSL has it's advantage over other CA's! And it's much more cheap as well! Just you have to repay every year for to continue the SSL's as by any other CA's! The intention for open this thread were simply about SelfIssued SSL Cert's and NO and Class or Paid SSL's! It's a good way to learn about how SSL's are working, what the rules of it are and so on. I didn't want to suggest any CA or paid SSL in this thread! For my own Company I use paid SSL's, but I started with SelfIssued SSL opn my own Hom,e Server some years ago and it was an good way to get the things to know!
As I wrote in my answer to the post of Myrrh, my intention were to show a way how to start with and use an SelfIssued SSL Certificate for to learn the basics of Secure Socket Layer works. Sure there will be other versions as I use, better for sure as well, it's just up the the interested user what they chose to use and/or start with. Personally, I haven't use SelfIssued SSL's for years now and had just 'bundled' together what I had used in the past and know that would work just fine.
Regarding Let's Encrypet, they're not launched yet, the schedule is for September! Until then, a lot could still be changed. I wouldn't talk about or sign up about an product which isn't launched yet. CACert is an different story. To get an free SSL Cert from them, you're required to join their community and be an active member of it. And again, my OP were simply about SelfIssued SSL Certificates and NOT commercial's! Read my other answers for more.
@Pisthai Thanks for the great post. I'm interested in making a certificate for remote desktop using windows RDP. I tried creating and implementing the certificate while making a "secure connection" but didn't pan out. Any good guides for this specific task?
Just to tell, I haven't use Windows Server for some years already, I mainly use Linux/Unix and Apache/NGIX etc. Basicly for to use SSL any Class you'll need an Domain and an server accessible via that Domain. SelfIssued SSL could be used for to us static/fixed IP even on LAN. Also the Port 443 need to be assigned for that Server's and, if use SelfIssued SSL the Port must be properly forwarded in your Router. While using Remote Desktop on Windows, at least IIS must be running and properly configured too. In simple words, you have that machine to turn into an Server! Fact is, https (secure connection) need an properly installed SSL Certificate on the as Server running Computer. If SSL Cert isn't found while to try to connect via https, the connection is refused and and Error Page will be shown instead. A SelfIssued SSL Cert will also result in showing an Warning Page, because that SSL isn't issued by an CA Company and therefore classified as dangerous, even it isn't, just the target could be accessed. I would suggest, if you want to go ahead with RDP and SSL, google for it and you'll get a lot info's, Pro and Con about it.
Was busy the last days and have now closely checked, with result to change to the latest OpenSSL already. Thanks for that. And for the readers of OP: Please download the latest version either 32bit and 64bit depend on the Server OS you use, and install and use that new version. I tested and it just works well.
pisthai , Thanks for the post. Your post alone answered a few random questions that I had always had on SSL Certs etc.. ~MC
OpenSSL Self-Signed CA https://langui.sh/2009/01/18/openssl-self-signed-ca/ https://langui.sh/2012/11/02/building-a-ca-r509-howto/ Thanks. 21-08-2015 ------------- "OpenSSL PKI Tutorial v1.1" http://pki-tutorial.readthedocs.org/en/latest/ very nice write up (PDF is to the lower-right) "Creating a CA" http://www.phildev.net/ssl/creating_ca.html
Supports SAN/UCC go this from Spoiler AnarethoS very good info: 1. now support SAN/UCC (added 21-08-2015)