There are many ways you can use digital certificates in Windows. The only problem is that it often involves either having your own CA, paying for certificates from a trusted CA or, the worst option, using self-signed certificates. Fortunately, there is another solution. CAcert.org provides free digital certificates for anyone who wants to set up an account. This frees you from having to bother with setting up a certificate server and of course it doesn’t cost you anything.

Even if you run a certificate server on your Windows domain, CAcert is very helpful for creating certificates for remote standalone servers. You can use these certificates to help secure web sites or VPN traffic and they are also great to use with stunnel and for securing Terminal Services, which I will write about in later posts.

Here’s how to get started using CAcert:

Create a CAcert Account

Visit www.cacert.org, set up an account and go through the process of adding a new domain.

Create a Certificate Request

Download and install the latest Windows OpenSSL distribution from http://www.openssl.org/related/binaries.html

From a command prompt, change to the OpenSSL\bin directory and type the command below. Note that all of these examples use example.com. You should replace all instances of this with your own host name—and be sure to get them all, there are quite a few.

openssl req -newkey rsa:2048 -batch -verbose -nodes -keyout example.com.key.pem -out csr.txt -subj “/CN=example.com”

At this point, you have a new file, csr.txt that contains your certificate request.

On the CAcert web site, click on the link to create a new server certificate, paste the contents of csr.txt into the box provided, and then submit the request.

CAcert will provide you with a base64-encoded certificate. This is basically your public key in PEM format. Create a new text file named example.com.public.pem and copy and paste the public key from CAcert’s web site (or e-mail) into that file.

Back at the command prompt, lets create a copy of the public key in DER format, which can be useful:

openssl x509 -outform der –in example.com.public.pem -out example.com.public.cer

Next we copy the private and public keys into a single file:

type example.com.key.pem > example.com.private.pem

echo. >> example.com.private.pem

echo. >> example.com.private.pem

type example.com.public.pem >> example.com.private.pem

And finally, let’s convert the private key to PKCS12 format:

openssl pkcs12 -export -in example.com.private.pem -inkey example.com.key.pem -out example.com.private.p12

When it prompts you for an export password, press Enter twice.

Now that you are finished, you can delete csr.txt and example.com.key.pem.

You should now have the following files:

example.com.private.pem – The private key that must be kept very secure. Useful for stunnel and other programs.

example.com.private.p12 – The private key in PKCS12 format. Useful for importing into the Windows certificate store.

example.com.public.pem – The server’s public key in PEM format. Useful for stunnel and other programs.

example.com.public.cer – The server’s public key in DER format. You might want to place this certificate on a publicly-accessible server for others to download.

What I usually do at this point is zip the files up and place them on a password-protected, encrypted volume. Whatever you do, don’t make the all-too-common mistake of leaving the private keys laying around somewhere in your server.

Note that you can follow this same process for client certs, except that when creating the initial certificate request, use the e-mail address in the subject like this:

openssl req -newkey rsa:2048 -batch -verbose -nodes -keyout example.com.key.pem -out csr.txt -subj “/CN=client@example.com”

There’s one final step, we need to import CAcert’s root certificate into Windows so that it becomes a trusted root cert:

To do that, browse to http://www.cacert.org/index.php?id=3 and download their certificate in DER format. Save the file to your disk, right-click on the file, then select Import Certificate. Click on Next a few times, accepting all default values.

You need to repeat this step for each system that will access the certificate you just created.

Now you should be all set to use your certificates, which I will write about in later posts. I definitely must commend CACert for their efforts to provide free certificates where others charge outrageous fees. While you’re there, look around and see if there is any way you can contribute. Or if nothing else, at least click on a few ads :)

Related posts

• No related posts.