| OpenSSL: Self-Sign SSL Certificate for OWA |
 |
 |
 |
|
I always used to use the Microsoft Windows Certification Authority to sign my own SSL certificates, but as I don’t really like the way the Windows Certification Authority does things, and I do like the way OpenSSL does things, so I opted to use OpenSSL on good old trustworthy openSUSE Linux to:
Now I used OpenSSL on Linux, but OpenSSL is also available on Windows, so if you would like to use OpenSSL on Windows, you can download it from: http://www.slproweb.com/products/Win32OpenSSL.html Let’s get cracking: On openSUSE 10.2, OpenSSL (if installed) will have its configuration file at /etc/ssl/openssl.cnf Normally I create a new directory in /etc/ssl/ for every new CA that I create. I now need to create a new Certification Authority (CA) called VirtualVCP Secure Services, so first let’s create the directory for the new CA: mkdir -p /etc/ssl/virtualvcp-ca/CA In order to create the new CA and request and sign new certificates with OpenSSL, there’s a handy script bundled with OpenSSL called CA.pl. We now need to copy that CA.pl file to the /etc/ssl/virtualvcp-ca/ directory in order to create the new CA. cp -pv /usr/share/ssl/misc/CA.pl /etc/ssl/virtualvcp-ca/ Before we can create the new CA, we need to edit the OpenSSL configuration. But first, make a backup copy of the openssl configuration file /etc/ssl/openssl.cnf: cp -pv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak Using vi or nano, edit /etc/ssl/openssl.cnf and change the following lines to look like this (Only change the two lines): dir = ./CA Save the file and exit the editor. We now also need to make couple of small changes to the CA.pl file we copied to /etc/ssl/virtualvcp-ca/ directory. Use vi or nano to edit /etc/ssl/virtualvcp-ca/CA.pl and change the following lines to look like this: $DAYS=”-days 1825”; Save the file and exit the editor Now we can go ahead with creating the new Certification Authority: cd /etc/ssl/virtualvcp-ca The following information entered will be included in your CA Certificate. Enter Country Code: GB The CA sis now created and ready to sign Certificate Requests from /etc/ssl/virtualvcp-ca/CA/ Open SSL has now placed all the files for the new Certification Authority in: /etc/ssl/virtualvcp-ca/CA The new CA Certificate is located at: /etc/ssl/virtualvcp-ca/CA/cacert.pem In order to securely import the new CA certificate into the Trusted Root Certification Authorities Store in Windows, we would want this file to be in DER (.cer) format. We now have to export the cacert.pem file: cd /etc/ssl/virtualvcp-ca/CA This cacert_virtualvcp.cer file can now be copied to and imported into the Trusted Root Certification Authorities Store in Windows. This is also the file that all clients will have to import into their Trusted Root Certification Authorities store in order for the client to trust certificates signed by this new CA. Now that we have our new Certification Authority Set up, we can request a new certificate from the new CA: cd /etc/ssl/virtualvcp-ca The following information entered will be included in your signed certificate Enter Country Name: GB Once the request has been created we can use the CA to sign the new certificate request: cd /etc/ssl/virtualvcp-ca/
Get organised! Create a new directory to file away the new certificate files: mkdir -p /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/Move the certificate files generated to that new directory: cd /ssl/virtualvcp-caRename them to more appropriate names: cd /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/ So, the new self signed x509 SSL certificate is now located at: /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/cert_webmail.spiesr.com.pem OpenSSL creates certificate file in with the .pem extension. As we did with the CA certificate, we can export these files to DER (.cer) files for use within Windows. For use with publishing Outlook Web Access with ISA Server, we need to export two versions of this cert_webmail.spiesr.com.pem file. The first version is in DER format. The second version is a PKCS#12 file (.pfx) and should be handled with extreme care and confidence as it will contain the certificate as well as the private key. This is the file needed for publishing Outlook Web Access with Microsoft ISA Server. Export the cert_webmail.spiesr.com.pem file to a DER (.cer) file: cd /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/Now Export the Certificate and Private Key in the same file (PKCS#12): openssl pkcs12 -export -out ./pk_cert_webmail.spiesr.com.pfx -inkey ./key_webmail.spiesr.com.pem -in cert_webmail.spiesr.com.pem There is now a new file called pk_cert_webmail.spiesr.com.pfx. This is the file you will have to import into the computer account’s personal certificate store in order to publish Outlook Web Access with ISA Server. Once imported into you Exchange server and ISA server, delete all copies of this file from the Windows Servers as well as the OpenSSL server. You can always export the certificate and key again if need be. |
I recently had to renew my self-signed SSL certificate used to publish my Outlook Web Access with Microsoft ISA Server 2004. As it’s been a while since I’ve done OWA publishing, I found myself scrambling for information on the internet until I eventually managed to compile this document. As I would like to use this again in the future, I though I'd post it here for reference.
Poll
Where Am I Today?
Login to VirtualVCP
Support VirtualVCP!
Information and Resources on this site are 100% free, however it costs money to run this site. Please help support this site by giving a donation.
RSS Feeds
