OpenSSL is a full-featured Open Source toolkit for the SSL/TLS protocol. OpenSSL is written in the C programming language and relies on different ciphers and algorithms to provide encryption. OpenSSL is dual licensed under an Apache license and a Berkeley Software Distribution license. We can use th OpenSSL tool for many purposes. Few purposes are

OpenSSL provides.

Have a command line application to perform creating and handling certificates and related files etc.
It has a comprehensive and extensive cryptographic library libcrypto.
Also has a libssl library to provide SSL and TLS Protocols support within clients or servers applications.

We mainly use the OpenSSL toolkit for generating and managing SSL certificates. Using OpenSSL generated SSL/TLS certificates we can secure communications over computer networks. OpenSSL 3.0 is the latest major version of OpenSSL and in this blog article we install this newer version on Windows server 2019.

The original OpenSSL package is provided as source code by their official developers. This need to first downloaded and after that compile and install on Operating system we use. But for windows we relay on Third Party OpenSSL Related Binary Distributions. They forked the original OpenSSL source code and provided us as MSI installer which is easy to use. So we use one of these OpenSSL derived products MSI package installer on our windows server 2019. So lets get started.

Section 1. Install and Setup OpenSSL toolkit

In this section we download and install the OpenSSL package on our Windows Server 2019. We are downloading the 64bit version because our Windows server 2019 is 64bit version.

For that first Open Windows Powershell and download the openssl package using below curl command.

Copy to Clipboard

Now perform the install by double-clicking on .exe file or from PowerShell issue below command.

Copy to Clipboard

The OpenSSL required Microsoft Visual C++ to be installed on your system. If our Server doesn’t have Microsoft Visual C++  installed, A popup window will appear with message as Microsoft Visual C++ 2019 package is missing from the server.  We need to install this package prior to proceed with the openssl package install .So click Yes for downloading the package.

Double click the  downloaded Microsoft Visual C++ 2019 Redistributables msi installer.  A another popup window will appear. Confirm the Licence Agreement and click Install.

We will get a success message after installation. Click close.

Now go back to the OpenSSL install wizard, Accept the Licence Agreement and Click Next.

Choose the Install directory and click Next,  In our case, we are choosing the install directory as C:\OpenSSL-Win64

Select Folder for OpenSSL Application shortcut. Leave the default one as it is and click Next.

Choose the copy OpenSSL DLL files as The windows system directory, which is the default one and Click Next.

Click “Install ” to proceed with the install  of OpenSSL on Windows Server 2019.

Give few minutes to complete the install, A progress bar  like below will show the status of install.

Click Finish to Complete the OpenSSL install.

Ok, this completes the OpenSSL toolkit installation. Now lets proceed with the next section.

Section 2.  Setup Environment Variables

In this section we add our OpenSSL install toolkit binary folder path to  our Windows environment PATH. This is needed then only if we try OpenSSL commands on windows cmd, windows will knows about binary and config locations of OpenSSL.

So add OpenSSL install  binary folder C:\OpenSSL-Win64\bin to the Windows environment PATH by issuing below two powershell commands.

Copy to Clipboard

Now export the  OPENSSL_CONF  as environment variable to server system variables section. Use below Powershell command.

Copy to Clipboard

The command output will look like below.

Now, we need to add the system variable OPENSSL_CONF permanently.

For that Press Windows + R keys together to open run window, Then type “sysdm.cpl” in the Run dialog box and hit Enter.

Go to “Advanced” tab and click on “Environment variables”. Click New under System Variables section.

Add values in the “variable name”  as OPENSSL_CONF and “variable value” value box as C:\OpenSSL-Win64\bin\openssl.cfg . Click OK Two times and Apply and OK from System Properties window.

Okay, this completes the Setting up of OpenSSL Environment Variables on our Windows Environment path. Now lets move to the next section.

Section 3. Configure OpenSSL Config.

In this section, we configure OpenSSL installed in the server to build SSL/TLS certificated as per  RFC3280 standards  which  mainly specifies  key usage and extended key usage values to our generated SSL/TLS certificates using OpenSSL. For that,

  1. First go the folder C:\OpenSSL-Win64\bin and create folder named “demoCA” . This is the folder where we kept generated certificates and other related files.
  2.  Now under the “demoCA” folder create another folder named “certs” . This is the folder where the issued certs are kept.
  3. Now under the “demoCA” folder itself, create another folder named “newcerts”. This is the default folder for new certs.
  4. Under folder “demoCA” create a file named “serial”. Make sure there is no file extension like .txt. Enter a value as “01” in the file. It holds the  serial number of SSL/TLS certificate we generate in this server.
  5. Lastly under folder “demoCA” create a empty file named “index.txt”.  This file holds information related to certificates we created in this server.

Refer below screenshot for getting an idea about file structure.

Now open the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg using any text editor.

Under [ CA_default ] section , set “dir” variable location as C:\\OpenSSL-Win64\\bin\\demoCA

Now as part of creating  CERT with the extended key attributes, first verify  under which section we need define extended key attributes. For that look under [ req ] section in  file C:\OpenSSL-Win64\bin\openssl.cfg

Normally it should look like below.  If its not, make the arrangement like below.

[ req ]

default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
req_extensions = v3_req
x509_extensions = usr_cert

In the above section  what we understood is all the x509 extension that are required should be specified in [ usr_cert ] section in C:\OpenSSL-Win64\bin\openssl.cfg

So find out the [ usr_cert ]  section and make sure below values are defined.

[ usr_cert ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

After adding the extensions to usr_cert , Now find out [ v3_req ] section and  insert same Extensions to add to a certificate request. As this section will have the extension that the certificate request should have.

Below is the extensions we normally needed.

extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Now also make sure below extension  key values  added under [ v3_ca ] section too.  From this section our CA certificate extension will be added.  Below is the necessary values need to added or enabled.

basicConstraints = critical,CA:true

Finally save the OpenSSL config file C:\OpenSSL-Win64\bin\openssl.cfg .  Refer below screenshots so you will get an idea how the config file will look like.

This Completes the OpenSSL configuration and now our server is ready to create SSL certificates or CA certificates.


We have successfully completed the Install of OpenSSL on Windows Server 2019. Also configured our OpenSSL toolkit  as per  RFC3280 standards. I hope this article is informative. Leave your thoughts at the comment box.

Share This Story, Choose Your Platform!