Let's all take a moment to think about all those Web Servers and Services that are secured with an SSL (Secure Socket Layer) certificate.
That little padlock in the address bar that makes sure the traffic is trusted, encrypted and going through a HTTPS connection.
About a year ago, I was given my first real SSL renewals from a Certificate Authority like GoDaddy to look at. Even though I was very new to the implementation, I had a rough idea of the execution.
Up until now I'd only used Letsencypt Certificates with ACME servers where most it was just automated and in Linux so this was all kind of new.
I learnt that most production SSL certs are bought and renewed every year after Apple stopped accepting 2 year certs a few years ago.
https://www.digicert.com/faq/public-trust-and-certificates/how-long-are-tls-ssl-certificate-validity-periods
Everything was going fine doing these requests while doing Windows IIS Server CSR requests inside of Windows Server but then I came up against a new challenge where there wasn't an IIS server present.
I had been given a introduction and some guidance to getting OpenSSL installed on my work laptop but for some reason whenever I tried to use the same commands as my colleagues it just wouldn't work for me.
I got him to do it for me this time and thought it was so rare I shouldn't have to worry about it. Then it happened again this time for a wildcard certificate and without I was under a bit of tighter deadline than I usually was.
The engineer in me decided that I needed to have a solution to this issue and had by this time already removed all traces of that previous installation from my device.
I span up a Windows Development 11 machine in Hyper-V with 2GB of Ram and started following the a newer guide from AdamTheAutomator for the prerequisites, again this time keeping everything installed and configured in the VM.
Navigate OpenSSL on Windows 10 with ease: This guide covers from installation to certificate management using PowerShell. Enhance your security skills today!
adamtheautomator.com
I finally had a good way of doing these on a machine that was available to me whenever I needed but the CSR process and private key generation were still a bit fiddly especially if I mistyped one of the details.
I decided I needed to design a GUI for this as I know had all of the working lines of code for this.
Introducing PowerCSR GUI Tool
This GUI tool designed and running in Powershell will let you use a machine that has OpenSSL and the environmental variables set correctly to generate CSRs and Private Keys in a much easier way.
I tested this out on my own machine first with some dummy certificates and information to see if they worked and they did.
You will need to have your Powershell Execution Policy set to Unrestricted and let it Run Once for now.
A GUI form built in Powershell to efficiently generate a CSR and Private Key file using OpenSSL for quick and easy cert generation
PowerCSR
A GUI form built in Powershell to efficiently generate a CSR and Private Key file using OpenSSL for quick and easy cert generation
Use this tool to quickly do CSR requests for SSL certificates using Powershell on Windows.
Prequisites
-
Make sure you first have OpenSSL installed and your environmental variables set so that you can get to open ssl from a terminal for this.
-
Open the .ps1 file in the directory that you want to generate the files.
- Go ahead and enter some details and a password if you want to with in built error checking to make sure that they match or leave empty for no password on the private key which can be useful for embedded devices such as firewalls.
- The CSR and Private Key will be generated and a success message if everything went well.
- You'll find your files in the directory that you have run…
Make sure you have OpenSSL installed with the correct Environmental Variables (https://adamtheautomator.com/openssl-windows-10/)
Download the PS1 file to a folder of your choice on your Windows machine.
Run with Powershell (Make sure you have your Powershell Execution Policy set to Unrestricted)
- Enter the name of the domain that you need to secure and the other details like Organization and Organizational Unit (No need to fill out every line if not needed)
- This generates the mycsr.csr (CSR text file) and mykey.key (Private key) in the same folder that you ran this in. Make sure that you copy these somewhere else before you generate again.
You can then use this to request and validate the certificate for use on your services e.g. a website from the usual SSL places like GoDaddy.
Optional: As an added bonus you can also add a password to generated files with inbuilt error checking to make sure you can't generate one until these passwords match.
This has reduced my frustration when it comes to doing these and I can definitely suggest using it to bring down your overall SSL stress level.
This first release is to makes sure that the underlying logic works and that it's actually production ready for more features to be added.
I would also like to spin off exporting and combining validated certificate files to create a PFX file to be imported into IIS Servers and other devices that may need a new SSL cert.
This small step into the world of SSL Certificates is definitely one that I've enjoyed.
Check out https://reprodev.com for more guides, tutorials and self hosted tips.
For more code examples and ongoing projects you can tap into my Github
https://github.com/reprodev