I'm trying to create a Self-Signed Certificate for an IP Address (not domain) using windows OS, but without any luck.
Also I would like to bind this certificate to my API which I'm hosting on IIS on our companies server.
Can somebody please advise how to do so?
CodePudding user response:
1) Download OpenSSL tool
- Download “openssl-0.9.8e_X64” from this link.
- Extract zip files into a folder.
- Extra sources: Key hash for Android-Facebook app
2) cmd: Navigate to OpenSSL folder
- open cmd (run as administrator).
- cd to bin/ folder where openssl.exe is located (in extracted folder above).
Note: following steps mostly from this article: Creating a Self-Signed Certificate With OpenSSL.
3) Creating a Private Key
openssl genrsa -des3 -out domain.key 2048
- then enter a password when prompted
4) Creating a Certificate Signing Request
command in this step is a bit different than in article:
openssl req -key domain.key -new -out domain.csr -config "path_of_openssl.cnf_file"
enter your private key password and some CSR information to complete the process.
An important field is “Common Name” which should be the exact Fully Qualified Domain Name (FQDN) of your domain.
“A challenge password” and “An optional company name” can be left empty.
5) Creating a Self-Signed Certificate
- A self-signed certificate is a certificate that's signed with its own private key.
- Let's create a self-signed certificate (domain.crt) with our existing private key and CSR:
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
6) Convert Certificate Formats (PEM to PKCS12)
- PKCS12 files, also known as PFX files, are usually used for importing and exporting certificate chains in Microsoft IIS.
- Take your private key and certificate, and combine them into a PKCS12 file:
openssl pkcs12 -inkey domain.key -in domain.crt -export -out domain.pfx
read more: Difference between .pfx and .cert certificates
7) Bind Certificate with API on IIS
- Use .pfx on your hosting server to bind your self-signed certificate with your site (website or api).
read more: How to Create and Bind a Self Signed Certificate in IIS 10
8) Share Certificate with client
- Share .crt with your clients, and ask them to add it to their list of Trusted Root Certificate Authorities (so that they can establish trusted communication with your domain).
read more: How to Export and Import a Self-Signed Certificate for Disconnected Devices - To check installed certificates: Press Windows Key R (together) → certmgr.msc. You will get a new window with the list of Certificates installed on your computer.
- Go to “Trusted Root Certificate Authorities” → right-click “Certificates” → “All Tasks” → “Import” → browse your .crt file.