Heartbleed security vulnerability - OpenSSL 1.0.1 -> See here
To perform certain cryptographic operations (creation of a private key, generation of a CSR, conversion of a certificate ...)on a Windows computer we can use the OpenSSL tool.
OpenSSL v1.X.X (recommended)
- Go to the following site: Link to OpenSSL download site
- Scroll down the page and choose the version (in .EXE):
- Win64 OpenSSL v1.X.X: if your operating system is 64 bits
- Win32 OpenSSL v1.X.X: if your operating system is 32 bits
- For some versions of Windows systems, you may need to install "Visual C++ 2008 Redistributable".
OpenSSL v3.X.X
You can also choose to use openSSL v3.X.X, however you may encounter issues with:
- reading a PFX generated with the version 1.1.1 (keybot)
- generating PFX and then import them into Windows (encryption not recognized by most Windows)
- Go to this website: Download link for OpenSSL
- Go down in the page and choose the version (in .EXE):
- Win64 OpenSSL v3.X.X: if your operating system is 64 bits
- Win32 OpenSSL v3.X.X: if your operating system is 32 bits
Use OpenSSL on a Windows machine
By default, OpenSSL for Windows is installed in the following directory:
- if you have installed Win64 OpenSSL: C:\Program Files\OpenSSL-Win64\
- if you have installed Win32 OpenSSL: C:\Program Files (x86)\OpenSSL-Win32\
To launch OpenSSL, open a command prompt with administrator rights.
b)Generate the private key (.key) and the CSR (Certificate Signing Request)
As part of obtaining (or renewing or reissue) a certificate, you will have to generate a private key and the associated CSR. To do this we advise you to use our online wizard to execute the OpenSSL command with the adequate parameters.
Open a command prompt with Administrators rights (right click - Run as ...). Go to the "bin" subdirectory from the OpenSSL installation folder.
Example of the command to execut:
openssl req -new -newkey rsa:2048 -nodes -out www.mywebsite.com.csr -keyout www.mywebsite.com.key -subj "/C=FR/ST=Calvados/L=CAEN/O=Mon organisation/CN=www.mywebsite.com"
Save and keep safe the file containing the private key (.key, and copy / paste only the contents of the file .csr file in the order form.
Issues encountered on Windows while generating a CSR via one command
According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:
- config or req is not recognized as an internal or external command
Check the syntax and the quotes when executing your command. - Unable to load config info from /usr/local/ssl/openssl.cnf
OpenSSL relies here on a Linux default arborescence.
Troubleshooting: execute simplified commands:
Reminder:
- To launch the command prompt, go to the start menu and execute "cmd".
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:
cd c:\cd "Program Files" (or cd "Program Files(x86)")cd OpenSSL-Win64 (or cd OpenSSL-Win32)cd bin
- The private key is generated with the following command. Define a file name that suits you:
openssl genrsa 2048 > website-file.key
- then use this command to generate the CSR:
openssl req -new -key website-file.key > website-file.csr
or this one:openssl req -new -key website-file.key -config "C:\Program Files\OpenSSL-Win64\openssl.cnf" -out website-file.csr
On some platforms, theopenssl.cnf that OpenSSL reads by default to create the CSR is not good or nonexistent.In this case you can download ourand place it, for example, in C:\Program Files\OpenSSL-Win64\openssl.cnf:
- For DigiCert or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
- For TBS X509 or Sectigo server certificates: openssl-dem-server-cert.cnf
- You'll be asked by the system to fill-in fields ; Fill them in and respect the instructions (more information onObtain a server certificate)
Country Name (2 letter code) []: (FR for example)
State or Province Name (full name) [Some-State]: (the name of your state in full letters)
Locality Name (eg, city) []: (the name of your city)
Organization Name (eg, company) []: (the name of your organization)
Organizational Unit Name (eg, section) []: (let blank - advised - or provide a generic term such as "IT department")
Common Name (eg, YOUR name) []: (the name of the site to be secured)
Email Address []: (let blank)Let the other fields blank, they are optional.
So you get 2 files: site-file.key and site-file.csr. Keep the private key file (site-file.key) securely, then copy / paste the content of the site-file.csr file into the order form at TBS CERTIFICATES.
Warning: Never send us or a third party the private key (site-file.key) otherwise the security of your site may no longer be ensured.
OpenSSL: cases of uses
OpenSSL is the toolbox mainly used by opensource software for SSL implementation.
- Generate your command line withour CSR creation assistant tool.
- Generate a CSR for Apache
- Generate a CSR for OpenSSL-based servers
- Install a certificate for OpenSSL-based servers
- Create a pkcs12 from a X509 certificate and its PEM private key
- Convert a pkcs12 into individual files for Apache or any other OpenSSL-compatible products
- Openssl: how to make sure the certificate matches the private key?
- Other OpenSSL uses
- Accented domain names (FQDN / SANs)