OpenSSL: Self-Sign SSL Certificate for OWA
I recently had to renew my self-signed SSL certificate used to publish my Outlook Web Access with Microsoft ISA Server 2004. As it’s been a while since I’ve done OWA publishing, I found myself scrambling for information on the internet until I eventually managed to compile this document. As I would like to use this again in the future, I though I'd post it here for reference.
I always used to use the Microsoft Windows Certification Authority to sign my own SSL certificates, but as I don’t really like the way the Windows Certification Authority does things, and I do like the way OpenSSL does things, so I opted to use OpenSSL on good old trustworthy openSUSE Linux to:
Create a new Certification Authority that I can use for all my private sites
Create a new x509 SSL Certificate to replace the current soon-to-expire SSL certificate in use by my OWA setup.
Now I used OpenSSL on Linux, but OpenSSL is also available on Windows, so if you would like to use OpenSSL on Windows, you can download it from:
Let’s get cracking:
On openSUSE 10.2, OpenSSL (if installed) will have its configuration file at /etc/ssl/openssl.cnf
Normally I create a new directory in /etc/ssl/ for every new CA that I create. I now need to create a new Certification Authority (CA) called VirtualVCP Secure Services, so first let’s create the directory for the new CA:
mkdir -p /etc/ssl/virtualvcp-ca/CA
In order to create the new CA and request and sign new certificates with OpenSSL, there’s a handy script bundled with OpenSSL called CA.pl. We now need to copy that CA.pl file to the /etc/ssl/virtualvcp-ca/ directory in order to create the new CA.
cp -pv /usr/share/ssl/misc/CA.pl /etc/ssl/virtualvcp-ca/
Before we can create the new CA, we need to edit the OpenSSL configuration. But first, make a backup copy of the openssl configuration file /etc/ssl/openssl.cnf:
cp -pv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
Using vi or nano, edit /etc/ssl/openssl.cnf and change the following lines to look like this (Only change the two lines):
dir = ./CA
default_days = 1825
Save the file and exit the editor.
We now also need to make couple of small changes to the CA.pl file we copied to /etc/ssl/virtualvcp-ca/ directory.
Use vi or nano to edit /etc/ssl/virtualvcp-ca/CA.pl and change the following lines to look like this:
Save the file and exit the editor
Now we can go ahead with creating the new Certification Authority:
Enter a passphrase that will be used to sign new certificate requests. Don’t forget what you’ve entered here, otherwise you won’t be able to sign new certificates with this CA.
Re-enter the passphrase.
The following information entered will be included in your CA Certificate.
Enter Country Code: GB
Enter State or Province Name: Hertfordshire
Organization Name: VirtualVCP Secure Services
Organizational Unit Name: Secure Hosting Services
Common Name: VirtualVCP Secure Services
Optional Company Name: 
The CA sis now created and ready to sign Certificate Requests from /etc/ssl/virtualvcp-ca/CA/
Open SSL has now placed all the files for the new Certification Authority in:
The new CA Certificate is located at:
In order to securely import the new CA certificate into the Trusted Root Certification Authorities Store in Windows, we would want this file to be in DER (.cer) format. We now have to export the cacert.pem file:
openssl -outform DER -in ./cacert.pem -out ./cacert_virtualvcp.cer
This cacert_virtualvcp.cer file can now be copied to and imported into the Trusted Root Certification Authorities Store in Windows. This is also the file that all clients will have to import into their Trusted Root Certification Authorities store in order for the client to trust certificates signed by this new CA.
Now that we have our new Certification Authority Set up, we can request a new certificate from the new CA:
Enter a passphrase for the private key (Don’t ever forget what you’ve entered!)
Re-enter the passphrase
The following information entered will be included in your signed certificate
Enter Country Name: GB
State or Province Name: Hertfordshire
Locality Name: Broxbourne
Organisation Name: SpiesR Secure Hosting
Organisational Unit Name: Secure Hosting
Common Name(this must match the website name that will use the new certificate): webmail.spiesr.com
Challenge Pass: blank
Optional Company name: blank
Once the request has been created we can use the CA to sign the new certificate request:
Enter the CA’s Passphrase
Review Information in the certificate request. If Happy, sign by pressing y y
Create a new directory to file away the new certificate files:
mkdir -p /etc/ssl/virtualvcp-ca/signed/spiesr.com/webmail.spiesr.com/
Move the certificate files generated to that new directory:
mv ./*.pem ./signed/spiesr.com/webmail.spiesr.com/
Rename them to more appropriate names:
mv ./newcert.pem ./cert_webmail.spiesr.com.pem
mv ./newkey.pem ./key_webmail.spiesr.com.pem
mv ./newreq.pem ./req_webmail.spiesr.com.pem
So, the new self signed x509 SSL certificate is now located at:
OpenSSL creates certificate file in with the .pem extension. As we did with the CA certificate, we can export these files to DER (.cer) files for use within Windows.
For use with publishing Outlook Web Access with ISA Server, we need to export two versions of this cert_webmail.spiesr.com.pem file. The first version is in DER format. The second version is a PKCS#12 file (.pfx) and should be handled with extreme care and confidence as it will contain the certificate as well as the private key. This is the file needed for publishing Outlook Web Access with Microsoft ISA Server.
Export the cert_webmail.spiesr.com.pem file to a DER (.cer) file:
openssl x509 -outform DER -in ./cert_webmail.spiesr.com.pem -out ./cert_webmail.spiesr.com.cer
Now Export the Certificate and Private Key in the same file (PKCS#12):
openssl pkcs12 -export -out ./pk_cert_webmail.spiesr.com.pfx -inkey ./key_webmail.spiesr.com.pem -in cert_webmail.spiesr.com.pem
Enter the passphrase for the key_webmail.spiesr.com.pem file (this was specified when the certificate request was submitted to the new CA):
Enter the new export password:
Re-enter Export Password:
There is now a new file called pk_cert_webmail.spiesr.com.pfx. This is the file you will have to import into the computer account’s personal certificate store in order to publish Outlook Web Access with ISA Server. Once imported into you Exchange server and ISA server, delete all copies of this file from the Windows Servers as well as the OpenSSL server. You can always export the certificate and key again if need be.