Generating certificate requests for OpenSSL with ADCS

Seth Karlinsey

[Prereq] Install WSL on a supported windows 10 pro or enterprise workstation (min  build 1607, preferred 1709 or later) 

  1. Open programs and features in control panel 
  2. Open "turn windows features on or off" 

Control Panel Home View installed updates Turn Windows features on or Install a program fro network Uninstall or change a program To uninstall a program, select it from the lis Organize e for Windows Ü7-Zip 1604 (64) A360 Desktop Accusoft Prizm Viewer 10 PDF MSI 'Adblock Plus for IE (32-bit and 64-bit) C Autodesk Configurator 360 addin Autodesk Design Review

 

  1. Enable windows subsystem for linux.  

Autodes Inc. 10 31 2017 Windows Features Turn Windows features on or off 24.2 MB 22.0.1C4DO O To turn a feature on, select its check box. To turn a feature off, clear its check box. A filled box means that only pat of the feature is turned on. Z] SMS I .O/CIFS File Sharing Support D SMS Direct Telnet Client D TFTP Client Windows Defender Application Guard Windows Identity Foundation 3.5 Z] Windows PowerSheII 2.0 Windows Process Activation Service Sub stem for Linux Windows TI Z] Work Folders Client Cancel 0.0.176 f 378 .0 0.412 .76.o

 

  1. Reboot after install.  
  2. [builds 1607 and 1703]  
  1. Open cmd  
  2. Call [bash] from within cmd and follow the setup instructions that follow. 
  3. After the environment is installed, run [sudo apt update && sudo apt upgrade] to pull all of the current security updates and bugfixes from canonical.  

[builds 1709 and later] 

  1. Open the windows store 
  2. Search for ubuntu 

u buntu

 

  1. Install the ubuntu module for WSL from Canonical Group Limited 

Ubuntu Canonical Group Limited 203 ubuntuO This product is installed. Description Ubuntu on Windows allows one to use Ubuntu Terminal and run Ubuntu command line utilities including bash, ssh, git, apt and many more. TO launch, use "ubuntu" on the command-line prompt (cmd.exe), or click on the Ubuntu tile in the Start Menu. To use this feature, one first needs to use "Turn Windows features on or off' and select "Windows Subsystem for Linux", click OK, reboot, and use this app. The above step can also be performed using Administrator PowerShell prompt... More Available on

 

 

Note on 1709 nov. update.: 

Steps 1-4 can be accomplished using  

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux 

In powershell 

Creating SSL Cert using OpenSSL 

 

  1. Change to a preferred working directory. I prefer to work within the windows filesystem for easier access to the files when I am done. The windows filesystem can be found within WSL mounted under "/mnt/c/" I personally prefer to work in my user directory/desktop, which for me is /mnt/c/Users/sethk/Desktop  
  2. Create a new working directory to create the cert. Eg: [mkdir spiceworks_ssl] then CD to it.  
  3. Create a file ssl.cnf  
  1. My preferred method is to create and edit using nano. Create the document with "nano ssl.cnf" and paste the contents in. adjust the fields to match the server needing the ssl cert and save with control-x. The ssl.cnf used for the spiceworks server is attached for reference. 
  2. Create a new private key. I prefer 2048 bit keys as they still provide decent security without impacting performance.  
  1. Run [openssl req -new -nodes -keyout private.key -out server.csr -config ssl.cnf] 
  2. This will generate two files. private.key and server.csr .We will use the server.csr to generate a signed public key with a trusted CA, in this case ADCS.  
  3. Dump the contents of server.csr to the terminal. [ cat server.csr ] 
  4. Select the text between -------BEGIN …. And REQUEST-------- and hit enter to copy to the clipboard. 

sethk@PRECT36ßß-1T2: private . key server. csr SSI . cnf seth PRECT3688-1T2: -BEGIN CERTIFICATE REQUEST- 11 DCTCCAfECAQAwajELmAkGAIUEBhmcwmxCzAJBgNVBAgmA1dBb1RmwEQYDVQQH pXYXNoaWSndGgumR1wEAYDVQQKDA1 gYDVQQDDAgza21sbHNpbmmubGgjwwwggEimAßGCSqGS1b3DQEBAQUAA41BDwAw EKA01BAQCSemmsL7zUX4+GDe1ßNQfUWbg1EtZrxHißQ06JZvK6zxAZcgd1YtOw +8cuDYPshu1ShC7fqwVdPOECeLvj æswgyrCKE0+Gt100tLUeKN211fbU9GgBRBvPTXb7vBSIW10ßfoG1ßzogpoJHSf dYx7yC/dk0Vbxuboc3aRk9BSHFQ7qVRoegdB/Nkk0ByioLwAß1JvVWHcdYFiL0 1 peq F xHAmKVF / L eAt044nCB 1 WI ru S a n 3 e+NwvS2 ygCW4BXCa 3Xool•1+d a u gmd+q sGAIUdDwQEAw1EmDATBgNVHSUEDDAKBggrBgEFBQcDATAIBgWHREEHjAcghRß NßLnNraWxsc21uYySsb2Nhb11EdGVzdDANBgkqhkiGgwßBAQsFAAOCAQEAS/ES Ltlih2UzF+xNLSizrNdCHLZYbEGzKTRxAgg+sAgSUzfF307ixGmYXvpjLDs1+kG KAvgvdm8JngA3Luß6ßDPUEiJ127Pr1SNPuß7KøpzgQ+3KtRgk7rDf7+QVKdaeJ1 gdbwRzx+grB1rPjZi03uZh10S11vwQ1wvgGSPdib1mdNppUG/XR6rTuc37L/V4 W4yn vj I rugk8uNbaGj 7 r+2ZOhoiwF au 7 rl vHtRO/W047+i E 6B g IVj4PTC962UTBDPQnZL+3qPDfxdkEmczaxH84FiJtpm/J1zsxWLqASFv/AQhj 3XwWT1jmJQ1caqWQ -END CERTIFICATE REQUEST----- $ cat server. csr

 

  1. Go to the ADCS server in a browser (preferrably firefox, IE defaults to installing certs instead of downloading them. In our case it is at http://ADCS.xenos.local/certsrv/ 
  2. Select request a certificate 
  3. Select a advanced certificate request 
  4. Enter the server.csr contents into the base64 request. Most use cases will use the webserver template. 

Submit a Certificate Request or Renewal Request To submit a saved request to the CA paste a base-04-encoded CMC or PKCS certificate requestor PKCS 47 renewal requestgenerated by an external source (such as a Web server) in the Saved Request tok Pics U PKCS Attributo: submit Copy the output from server.csr here Select the Cert template.

  1. Submit the request.  
  2. You should now be able to download the cert. NOTE: MOST NON-MICROSOFT APPLICATIONS (eg. Apache) REQUIRE BASE 64 ENCODING  
  3. You now have a signed public/private key pair 

 

 

 

Endnote: Most applications will allow you to directly overwrite the default keys.  The easiest way to do this is to dump the contents of both files eg. Cat private.key and cat /mnt/c/Users/sethk/Downloads/certnew.cer . Copy the contents over their respective counterparts on the destination server (after making a checkpoint/backup). 

 

Example Contents for ssl.cnf 

----------------------- 

 

[req] 

distinguished_name = req_distinguished_name 

req_extensions = v3_req 

prompt = no 

[req_distinguished_name] 

C = US 

ST = WA 

L = Washington 

O = Xenos

OU = IT 

CN = Xenos.local 

[v3_req] 

keyUsage = keyEncipherment, dataEncipherment 

extendedKeyUsage = serverAuth 

subjectAltName = @alt_names 

[alt_names] 

DNS.1 = spiceworks.xenos.local 

DNS.2 = spiceworks

This article was updated on April 18, 2024