DEV Community

Cover image for Creating openssl.conf for Windows
oz9un for OpenLAB

Posted on

Creating openssl.conf for Windows

In this chapter, I will explain how to create openssl.conf file with the way that Windows can process it.


Parts to be changed in the default openssl.conf:

For creating a default openssl.conf, Jamie's amazing article would be a good start point.

There are many differences between original Windows certificates and those created with using OpenSSL on Linux:

 

Difference 1 → Issuer:

Issuer is one of the most important field in the certificates. This must be interpreted correctly in order to make Windows accept our handcrafted certificate.

Difference between certificate created with default openssl.conf and original Windows certificate:

diff

 

Solution for Difference 1:

In this part, we define the section for the req command.

We can edit default_bits, default_md parts. But most importantly, we can change how to form the DN with editing the req_distinguished_name section.

Default [ req ] part would be similar to:

[ req ]

default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
Enter fullscreen mode Exit fullscreen mode

Corresponding default [ req_distinguished_name ] :

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address
Enter fullscreen mode Exit fullscreen mode

As you can see, there are lots of fields like countryName, stateOrProvinceName, localityName...

This is why we see lots of information in the 'Issuer' field of the certificates created with OpenSSL.

Edited [ req_distinguished_name ] should be similar to:

[ req_distinguished_name ]

1.DC = com
0.DC = company
DC = subdomain
commonName = Common Name
Enter fullscreen mode Exit fullscreen mode

And user should type in that order:
order

As a result, we successfully created a valid issuer:
result1

 

Difference 2 → Missing Fields:

Two fields, "Certificate Template Name" and "CA Version", are not available on the certificate that created with OpenSSL on Linux.

It is hard to know about which fields are precisely checked when tricking Windows to accept your handcrafted OpenSSL certificate, but I think it is a good practice to make your certificate look exactly like the original one.

missingfields

 

Solution for Difference 2:

Firstly, define OID's at the top of our openssl.conf file:

oid_section = OIDs

[ OIDs ]

certificateTemplateName = 1.3.6.1.4.1.311.20.2
caVersion = 1.3.6.1.4.1.311.21.1
Enter fullscreen mode Exit fullscreen mode

We can skip the definition of the OID's and use the OID directly, of course. But defining them first and using them as variables would be a good practice.

Secondly, create a new requirement in [ reg ], let's say v3_req :

[ req ]

default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = default
default_md = sha256
x509_extensions = v3_ca
req_extensions = v3_req
Enter fullscreen mode Exit fullscreen mode

Lastly, define [ v3_req ] :

[ v3_req ]

subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = digitalSignature, cRLSign, keyCertSign
certificateTemplateName = ASN1:PRINTABLESTRING:CA
caVersion = ASN1:INTEGER:0
Enter fullscreen mode Exit fullscreen mode

After that, you should create your certificate with the following parameter:

-extensions v3_req
Enter fullscreen mode Exit fullscreen mode

As a result, we successfully created our certificate fields:
result2

 

Final:

We have successfully created our openssl.conf!
You can view the whole openssl.conf file from: GitHub Gist

final

Discussion (0)