Akzium
  • Home
  • Solutions
    • Distributed File Systems
    • Security
    • Cloud Computing >
      • Enterprise File Sync and Sharing
    • SD-WAN
    • Secure Internet
    • Virtualization
    • Backup and Replication >
      • AS400 Backup and Replication
      • DICOM Image Backup and Archival
    • Disaster Recovery
  • Services
    • Cloud Migration Services
  • About
  • Blog

Easy Self-Signed SSL Certificates

8/2/2022

0 Comments

 
Picture
There are times when you might need to issue a self-signed SSL certificate for local intranet web applications, especially when the application vendor includes a self-signed SSL certificate for their application, but not for your specific internal domain. The process of creating a self-signed certificate has become much easier lately.

One option is to download and install Git Bash for Windows (
https://git-scm.com/downloads). Git-2.37.1-64-bit.exe is the latest version as of this posting, which includes the OpenSSL library. If you use Git Bash to create an SSL certificate, the key is to make sure you put "winpty" in front of the OpenSSL command in the shell, or the command will lock up the terminal window. There are plenty of articles on the web that explain how to use openssl to create RooCA certs and self-signed certificates for use on your internal network.

Example: winpty openssl genpkey -algorithm RSA -des3 -out c:\folder\my-private-key.pem -pkeyopt rsa_keygen_bits:4096

A second option is to use the New-SelfSignedCertificate commandlet within Windows Powershell (version 5.1 or later).
Example:
$todaydt=Get-Date
$3years=$todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname myserver.domain.local -notafter $3year -CertStoreLocation cert:\\LocalMachine\My
*note1: the -notafter switch is not valid on versions of Windows Server prior to 2016. Also, the cert:\\LocalMachine\My stores the new self-signed certificate in the signed-on user's local certificate datastore
An output similar to below will be shown. Note the thumbprint as you'll need to use that in the next command.
Directory: https://lnkd.in/dThSAdpY\\Certificate::LocalMachine\\My
Thumbprint Subject
---------- -------
54005B7DB6DC641F9EF982BACD9A8CBEB1D2E15F CN=myserver.domain.local

Next, you'll need to create a .pfx file.
Example:
$CertPassword = ConvertTo-SecureString -String "passw0rd!" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\\LocalMachine\My\\54005B7DB6DC641F9EF982BACD9A8CBEB1D2E15F -FilePath "C:\\PutAFolderNameHere\\myserverHttpsCert.pfx" -Password $CertPassword

To generate the pem, key, crt, and cer files, it's easiest to use the Git Bash shell OpenSSL utility.

Run the following commands:
*note: enter pwd at the $ prompt in Git Bash to find out the default directory path to place your pfx file.

winpty openssl pkcs12 -in mysslcertfile.pfx -out mysslcertfile.pem -clcerts   
(*note: this will prompt for password that was used in the $Certpassword to generate the PFX file earlier)

winpty openssl pkcs12 -in mysslcertfile.pfx -nocerts -out mysslcertfile.key
winpty openssl pkcs12 -in mysslcertfile.pfx -nocerts -out mysslcertfile-encrypted.key
winpty openssl rsa -in mysslcertfile-encrypted.key -out mysslcertfile-decrypted.key
winpty openssl pkcs12 -in mysslcertfile.pfx -clcerts -nokeys -out mysslcertfile.crt
winpty openssl x509 -inform pem -in mysslcertfile.crt -outform der -out mysslcertfile.cer

*note: you'll obviously replace "mysslcertfile" with the actual cert file name, example: subdomain.domain.com


You'll need to follow the application vendor's instructions for installing your new SSL cert, or in the case of an internally-developed application, install the SSL cert into IIS or Apache using instructions found elsewhere.

After creating the .pfx file, you'll need to import it into your PC's local root certificate store. Go to the Windows Search bar and type MMC (Microsoft Management Console), run as administrator. Got to File -> Add or Remove Snap-ins -> Certificates and click Add and then OK. Next, Navigate to the Certificates (Local Computer) add-in, then right-click on Trust Root Certification Authorities -> All Tasks -> Import. In the Certificate Import Wizard click Next, Browse and go to the folder where you output your PFX file, select the file, click Open, Next and then finish the wizard.

Now, when you browse to your intranet web application you should not get the "Your Connection is Not Private" error, but rather it will now reflect it as an SSL site.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Akzium team blog

    Archives

    May 2025
    April 2025
    March 2025
    January 2025
    December 2024
    November 2024
    October 2024
    July 2024
    November 2022
    September 2022
    August 2022
    July 2022

    Categories

    All
    Alias Gmail
    Apache Log4J
    AWS EC2 IIS File Share
    BypassNRO
    Chrome Browser GPU
    Default Gateway
    DHCP
    DHCP Backup
    DHCP Restore
    DiskPart
    Endpoint Security
    File Server Migrations
    File Server Registry Key
    File Server Resource Manager
    File Shares Registry Key
    Ghost Network Adapters
    Gmail Alias
    Gmail Email Alias
    IBM 5250 Terminal
    IBM BOMC
    IBM Firmware Updater
    IBM FlashSystem Firmware Update
    IIS
    Internet Information Services
    Lenovo BOMC
    Lenovo Firmware Updater
    NTP
    RaspberryPi 4b
    RaspberryPi 4b 5250
    Recovery Partition Relocate
    Security Registry Edits
    Self Signed SSL
    Set Chrome To Use GPU
    Time Server Change
    Uptime Kuma
    Uptime Kuma Ubuntu Install
    Virus Scanner
    VMware
    Windows 11
    Windows 11 Developer Console
    Windows File Server
    Windows IIS File Sharing
    Windows Quick Assist
    Windows Route Command
    Windows Sandbox
    Windows Script Host
    Windows Server 2022 Recovery Partition
    Windows Shared Experiences
    Windows Time

    RSS Feed

Akzium, LLC | 601-841-2499     .     [email protected]
Copyright 2011-2025, Akzium, LLC.  All rights reserved.