SSL certs for server VMs

1. SSL certs for server VMs Dave Funk EITC, October 2011 EITC 2011, @Penn State

2. VMs are great, but… Easy to create, too easy to recreate EITC 2011, @Penn State

3. VMs are great but … • Easy to create, too easy to recreate • When recreating a VM need to remember to save previous configs, including SSL keys/csrs • Wouldn’t it be nice to be able to manage SSL keys/certs/csrs outside VMs EITC 2011, @Penn State

4. Trick to package up OpenSSL Apachie style cert for importation into Microsoft server. • Can package cert, key, and intermediate certs. EITC 2011, @Penn State

5. 1) create CSR & key as normal, get it signed. • 2) take signed .pem cert, put in file • 3) post-pend encrypted key after cert, • 4) post-pend intermediate CA-cert .pem after key. • 5) convert to pkcs12 ".p12" file: EITC 2011, @Penn State

6. openssl pkcs12 -export -in cert+key+intermediate.pem -passin pass:key-password -passout pass:package-password -out certificate-file.p12 -name friendly-name • where: • cert+key+intermediate.pem == file created by steps 1-4 above • key-password == password for encrypted key • package-password == password to encrypt whole .p12, then used as 'Import password' for IIS • friendly-name == "friendly" name to be displayed by IIS cert manager window for this cert • order of contents in .pem file important, host-cert first, then matching key, finally any necessary intermediate certs. EITC 2011, @Penn State