OpenSSL is a full-featured Open Source toolkit for the SSL/TLS protocol. OpenSSL is written in the C programming language and relies on different ciphers and algorithms to provide encryption. OpenSSL is dual licensed under an Apache license and a Berkeley Software Distribution license. We can use th OpenSSL tool for many purposes. Few purposes are
Have a command line application to perform creating and handling certificates and related files etc.
It has a comprehensive and extensive cryptographic library libcrypto.
Also has a libssl library to provide SSL and TLS Protocols support within clients or servers applications.
We mainly use the OpenSSL toolkit for generating and managing SSL certificates. Using OpenSSL generated SSL/TLS certificates we can secure communications over computer networks. OpenSSL 3.0 is the latest major version of OpenSSL and in this blog article we install this newer version on Windows server 2019.
The original OpenSSL package is provided as source code by their official developers. This need to first downloaded and after that compile and install on Operating system we use. But for windows we relay on Third Party OpenSSL Related Binary Distributions. They forked the original OpenSSL source code and provided us as MSI installer which is easy to use. So we use one of these OpenSSL derived products MSI package installer on our windows server 2019. So lets get started.
Section 1. Install and Setup OpenSSL toolkit
In this section we download and install the OpenSSL package on our Windows Server 2019. We are downloading the 64bit version because our Windows server 2019 is 64bit version.
For that first Open Windows Powershell and download the openssl package using below curl command.
Copy to Clipboard
Now perform the install by double-clicking on .exe file or from PowerShell issue below command.
Copy to Clipboard
The OpenSSL required Microsoft Visual C++ to be installed on your system. If our Server doesn’t have Microsoft Visual C++ installed, A popup window will appear with message as Microsoft Visual C++ 2019 package is missing from the server. We need to install this package prior to proceed with the openssl package install .So click Yes for downloading the package.
Double click the downloaded Microsoft Visual C++ 2019 Redistributables msi installer. A another popup window will appear. Confirm the Licence Agreement and click Install.
We will get a success message after installation. Click close.
Now go back to the OpenSSL install wizard, Accept the Licence Agreement and Click Next.
Choose the Install directory and click Next, In our case, we are choosing the install directory as C:\OpenSSL-Win64
Select Folder for OpenSSL Application shortcut. Leave the default one as it is and click Next.
Choose the copy OpenSSL DLL files as The windows system directory, which is the default one and Click Next.
Click “Install ” to proceed with the install of OpenSSL on Windows Server 2019.
Give few minutes to complete the install, A progress bar like below will show the status of install.
Click Finish to Complete the OpenSSL install.
Ok, this completes the OpenSSL toolkit installation. Now lets proceed with the next section.
Section 2. Setup Environment Variables
In this section we add our OpenSSL install toolkit binary folder path to our Windows environment PATH. This is needed then only if we try OpenSSL commands on windows cmd, windows will knows about binary and config locations of OpenSSL.
So add OpenSSL install binary folder C:\OpenSSL-Win64\bin to the Windows environment PATH by issuing below two powershell commands.
Copy to Clipboard
Now export the OPENSSL_CONF as environment variable to server system variables section. Use below Powershell command.
Copy to Clipboard
The command output will look like below.
Now, we need to add the system variable OPENSSL_CONF permanently.
For that Press Windows + R keys together to open run window, Then type “sysdm.cpl” in the Run dialog box and hit Enter.
Go to “Advanced” tab and click on “Environment variables”. Click New under System Variables section.
Add values in the “variable name” as OPENSSL_CONF and “variable value” value box as C:\OpenSSL-Win64\bin\openssl.cfg . Click OK Two times and Apply and OK from System Properties window.
Okay, this completes the Setting up of OpenSSL Environment Variables on our Windows Environment path. Now lets move to the next section.
Section 3. Configure OpenSSL Config.
In this section, we configure OpenSSL installed in the server to build SSL/TLS certificated as per RFC3280 standards which mainly specifies key usage and extended key usage values to our generated SSL/TLS certificates using OpenSSL. For that,
First go the folder C:\OpenSSL-Win64\bin and create folder named “demoCA” . This is the folder where we kept generated certificates and other related files.
Now under the “demoCA” folder create another folder named “certs” . This is the folder where the issued certs are kept.
Now under the “demoCA” folder itself, create another folder named “newcerts”. This is the default folder for new certs.
Under folder “demoCA” create a file named “serial”. Make sure there is no file extension like .txt. Enter a value as “01” in the file. It holds the serial number of SSL/TLS certificate we generate in this server.
Lastly under folder “demoCA” create a empty file named “index.txt”. This file holds information related to certificates we created in this server.
Refer below screenshot for getting an idea about file structure.
Now open the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg using any text editor.
Under [ CA_default ] section , set “dir” variable location as C:\\OpenSSL-Win64\\bin\\demoCA
Now as part of creating CERT with the extended key attributes, first verify under which section we need define extended key attributes. For that look under [ req ] section in file C:\OpenSSL-Win64\bin\openssl.cfg
Normally it should look like below. If its not, make the arrangement like below.
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert
In the above section what we understood is all the x509 extension that are required should be specified in [ usr_cert ] section in C:\OpenSSL-Win64\bin\openssl.cfg
So find out the [ usr_cert ] section and make sure below values are defined.
After adding the extensions to usr_cert , Now find out [ v3_req ] section and insert same Extensions to add to a certificate request. As this section will have the extension that the certificate request should have.
Finally save the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg . Refer below screenshots so you will get an idea how the config file will look like.
This Completes the OpenSSL configuration and now our server is ready to create SSL certificates or CA certificates.
We have successfully completed the Install of OpenSSL on Windows Server 2019. Also configured our OpenSSL toolkit as per RFC3280 standards. I hope this article is informative. Leave your thoughts at the comment box.
Share This Story, Choose Your Platform!
By admin|2021-12-16T06:53:36+00:00October 23rd, 2021|Windows|