Skip to content

Generate SSL Certificate on Windows

Published by luke on 3rd November 2019

SSL certificates are needed for a variety of reasons and depending on your environment it can be very easy or very hard to get the certificate(s) you want created. This is a nice easy method of generating a certificate on Windows.

Put the below text into a file and save it as “{FQDN}.inf”.

All the value between { and } should be changed to your required values, other than the 2.5.29.17 = "{text}" line, this needs the actual "{text}" wording for it to work.
[NewRequest]
FriendlyName = "{FQDN}"
Subject = "CN={FQDN}" 
Exportable = TRUE 
KeyLength = 2048 
KeySpec = 1 
KeyUsage = 0xf0 
MachineKeySet = TRUE 
[RequestAttributes]
CertificateTemplate = {Name of CA Template}
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns={DNS SAN}&"
_continue_ = "dns={DNS SAN}&"
_continue_ = "ipaddress={IP SAN}&"

Run the command: certreq -new {FQDN}.inf {FQDN}.req

Depending on your environment you may be able to run the below command on the server you ran the above command on (and it will communicate with your CA (Certificate Authority), alternatively you may have to copy the inf file to the CA to run the below command.

Run the command: certreq -submit {FQDN}.req {FQDN}.cer

If the above command was ran on the CA then copy the cer file back to the original server to run the below command

Run the command: certreq -accept {FQDN}.cer

Run the commands:
certutil -p Pa55word -exportPFX {FQDN} {FQDN}.pfx
certutil -privatekey -delstore MY {FQDN}

You will now have a pfx file (the password is Pa55word) available to import to any system or application.

As an additional bit if required, you can take the pfx file and split it into private key and certificate files. These separated files are needed for many Linux, VMware & AWS solutions so I thought it would benefit to have this extra step documented.

In order to split the pfx file you need openssl. This can be downloaded for Windows from the openssl website here or you can copy the pfx file to a Linux server.

Run the command: openssl pkcs12 -in {FQDN}.pfx -nocerts -out {FQDN}.enc.key

It will ask for the “import” password, if you have followed the above instructions the password is Pa55word. It will also ask for a password for the key file, use Pa55word again, it will need it to be confirmed as well.

Run the command: openssl pkcs12 -in {FQDN}.pfx -clcerts -nokeys -out {FQDN}.crt

Again it will ask for the “import” password, if you have followed the above instructions the password is Pa55word.

Run the command: openssl rsa -in {FQDN}.enc.key -out {FQDN}.key

It will ask for the “key” password, if you have followed the above instructions the password is Pa55word.

Once you are done you will now have the original pfx file (the password is Pa55word), along with a key pair (key and crt files) available to import or use for any system or application.

Published inMicrosoft

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.