Unfortunately, there is no official OpenSSL client for Windows. However, you could download it from WinOpenSSL.html
Then you can use the OpenSSL utility to generate a Private Key, Certificate Signing Request (CSR) and Self-Signed Certificate.web
Run the openssl.exe in Command Prompt or PowerShell, the executable will be located in folder C:\Program Files\OpenSSL-Win64\bin\ if you install the 64bit version.ide
Enter the following command to create your RSA Private Key:ui
genrsa -des3 -out localhost.key 2048
After pressing Enter, you will be asked to enter a pass phrase for the localhost.key. You must type pass phrase in 4 to 1023 characters.this
Generating RSA private key, 2048 bit long modulus (2 primes) ......................................................+++++ ..+++++ e is 65537 (0x010001) Enter pass phrase for localhost.key:
In order for the self-signed SSL cert to work, you need to provide the Subject Alternative Name to the CSR. The easiest way to provide the subjectAltName is to use a config template when generating the CSR.spa
Example Configuration File3d
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext x509_extensions = x509_ext [ dn ] C = SG ST = Singapore L = Seletar O = Rolls-Royce OU = APAC emailAddress = hiroshifuu@outlook.com CN = localhost [ req_ext ] subjectAltName = @alternate_names [ x509_ext ] subjectAltName = @alternate_names [ alternate_names ] DNS.1 = localhost DNS.2 = 127.0.0.1
The command to generate the CSR is as follows:code
req -new -key localhost.key -sha256 -out localhost.csr -config san.cnf
To view the output of the generated CSR enter the following command at the prompt:htm
OpenSSL> req -in localhost.csr -text -noout Certificate Request: Data: Version: 1 (0x0) Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25: 4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04: 88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a: 55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8: ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92: e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a: 4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75: a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce: 6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05: ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b: 01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51: 5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e: af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2: 1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84: ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18: f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55: 2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30: 0f:db Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:localhost, DNS:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption ad:85:70:51:27:73:c8:b0:8d:09:ae:69:3f:ee:fc:5a:3d:28: 40:20:4e:56:23:03:9c:4c:7a:46:e8:d4:09:db:28:7c:f1:ac: 10:66:60:9c:38:66:56:89:13:1a:59:b7:ab:59:e6:a7:38:83: 9b:89:77:12:0c:39:ef:60:c9:c0:a6:a2:99:70:0b:52:9b:dc: c5:81:e2:45:48:32:86:1f:14:7e:92:c6:5b:c2:81:23:33:4d: 23:59:02:66:a5:03:5a:ba:4f:13:ca:d8:de:26:68:ee:bf:db: 6e:73:93:22:3d:a0:6e:c1:45:6a:9d:db:7d:14:ae:4c:2f:a2: fb:28:5d:3e:d1:54:92:f6:a0:fb:04:1c:87:24:0d:7f:47:36: 7c:2d:26:3a:63:4f:40:03:0a:8e:0e:1e:f9:ea:27:d9:50:0a: 6e:83:ab:df:b0:f6:db:e8:12:0d:19:43:eb:31:cd:d7:f6:5e: 73:61:e9:65:2d:08:45:b8:50:0b:4e:54:a2:aa:d5:1d:24:00: 12:a3:58:a5:d3:39:fa:24:f9:fb:91:4d:2c:23:e6:0b:77:b2: 49:a2:77:d7:62:20:e6:fd:69:93:da:b2:8f:4d:7e:c3:fb:b1: f7:4d:5b:f9:aa:99:50:9a:d2:e5:a3:a4:cc:df:0f:77:e4:b0: 98:7f:4e:37
Then you will use the OpenSSL tool to generate a temporary certificate, if you provide the SAN correctly, it will no longer generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.blog
To generate a certificate which is good for 365 days, enter the following command:
x509 -req -days 365 -in localhost.csr -signkey localhost.key -sha256 -out localhost.crt -extfile san.cnf -extensions
To view the output of the generated SSL Certificate enter the following command at the prompt:
OpenSSL> x509 -in localhost.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 52:ad:82:a1:20:c3:17:a6:7d:b2:76:ed:90:ab:4d:52:2a:47:14:5c Signature Algorithm: sha256WithRSAEncryption Issuer: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost Validity Not Before: Jun 13 02:58:15 2019 GMT Not After : Jun 12 02:58:15 2020 GMT Subject: C = SG, ST = Singapore, L = Seletar, O = Rolls-Royce, OU = APAC, emailAddress = hiroshifuu@outlook.com, CN = localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b2:b0:96:8b:c5:ab:88:0e:5e:9b:d6:7f:e7:25: 4d:8d:56:4b:9b:79:47:81:ee:28:53:38:68:e8:04: 88:0b:d0:ee:a7:60:14:36:59:5b:93:e8:ae:73:4a: 55:7d:88:f5:db:54:cd:2b:40:a8:f3:00:bc:67:c8: ba:fd:73:60:2a:24:b1:07:09:eb:3a:d5:c3:d5:92: e9:e6:1d:97:02:1d:b4:2c:b7:8f:e8:df:e2:49:9a: 4c:49:78:6a:c3:1f:4a:55:23:05:06:46:39:0e:75: a5:45:f4:7f:32:bb:42:26:3a:b2:1c:3a:fa:b5:ce: 6f:97:05:0e:18:af:d6:32:32:33:61:18:75:b1:05: ed:18:cc:0b:a9:a9:a0:46:46:3e:f8:20:42:21:9b: 01:23:9d:69:63:d8:c4:8d:5e:9d:cf:30:1d:e4:51: 5e:c7:35:dc:a0:07:97:57:1a:84:16:8f:40:9d:0e: af:77:03:ee:8a:ee:b9:b1:c8:64:56:94:96:f7:f2: 1a:9a:dd:04:b2:ef:7c:8b:08:28:b0:58:7d:21:84: ae:71:4e:64:ef:aa:0d:97:4a:4e:6b:ab:cc:bb:18: f9:cf:c9:8e:70:b9:27:c5:f2:b5:d8:7f:92:2d:55: 2c:37:3d:1c:18:1c:d5:33:9f:4c:bb:4b:3a:ca:30: 0f:db Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:localhost, DNS:127.0.0.1 Signature Algorithm: sha256WithRSAEncryption a4:98:fe:3b:f3:2f:11:79:29:3a:60:25:ab:6f:e8:f2:c2:09: 5f:6c:5f:46:08:f2:39:04:bf:e5:bc:36:68:59:cc:48:60:ac: 69:a7:aa:ba:b3:0e:95:72:8c:84:53:aa:ae:b9:22:92:32:48: 2b:e7:e6:c8:73:5a:1f:72:9c:1f:35:52:c7:43:47:98:50:49: 2f:f9:ea:a9:94:fb:b9:1d:be:9a:45:90:17:a2:f2:d7:8d:b8: 66:23:72:f1:4e:f7:c2:07:ea:f3:f2:13:ba:16:cb:12:99:96: 0c:af:8a:f6:4f:cf:8f:b0:b7:44:34:09:7d:ba:59:ae:07:5d: 80:99:c6:b4:8b:96:cb:db:f7:31:e4:f1:b5:17:2e:c8:45:3a: b9:00:03:0d:db:95:55:7e:bc:8e:a3:81:13:ad:3b:f0:6e:20: c8:06:f4:05:7a:31:4e:ef:0c:2e:14:67:a1:37:79:92:ca:e6: 1f:cb:56:f9:21:3e:a5:14:cb:07:31:e0:dd:4c:a8:d2:f6:ab: 67:f3:07:63:02:0a:0e:71:1d:41:f1:72:a4:11:57:22:08:a4: a9:14:40:2a:94:8d:fc:f9:0d:62:43:ff:21:92:18:eb:39:1b: 5e:8f:0f:13:da:27:fd:cd:04:f6:8c:1d:b7:85:79:eb:1a:13: 03:66:85:34
Hold down the Windows Key and Press R on your keyboard. The run dialog box will open. Type in mmc then press ENTER.
The Certificate Manager will open then import the localhost.csr into Trust Root Certification Authorities.
From now, your browser will not make complain anymore. (You may need to import the cert in Chrome as well).