How to Create Self-Signed Certificate with OpenSSL 3 Like ‘New-SelfSignedCertificate’

certificateopensslself-signed-certificatessl-certificatewinrm

First of all, I did googling about openssl, such as this one, and also tried dozens of time on creating a valid self-signed certificate.
But I guess asking on serverfault would be much quicker.

My platform is a Windows 10 computer with openssl 3.2.0 light edition installed. The infrastructure has no domain exist, just a testing environment.

The goal is to create a self-signed certificate for windows hosts and windows remote management https protocol to utilize and I did know that the windows powershell "New-SelfSignedCertificate" can solve my demand directly but this is not what I want.

Openssl is the tool I need. I want to use openssl to generate a self-signed certificate(from 0) same as what "New-SelfSignedCertificate" can generate.

I encountered issues when configuring "winrm" after imported the certificate(generated from openssl). The error messages are:

settings Error number:  -2144108306 0x803380EE
The WinRM client cannot process the request. 
The Enhanced Key Usage (EKU) field of the certificate is not set to "Server Authentication". 
Retry the request with a certificate that has the correct EKU.

Here is the commands that I use to create the self-signed certificate:
#Generate a private key
openssl genpkey -algorithm RSA -out private-key.pem

#Generate a certificate signing request (CSR)
openssl req -new -key private-key.pem -out certificatesigningrequest.pem -days 3650 -subj "/C=US/ST=Colorado/L=aspen/CN=10.0.2.4/OU=myhostgroup/O=testinfra" -addext "keyUsage=digitalSignature,keyEncipherment" -addext "extendedKeyUsage=serverAuth,clientAuth"

#Generate a self-signed certificate
openssl x509 -req -in certificatesigningrequest.pem -signkey private-key.pem -out self-signed.crt

#combine the private key and certificate into a PKCS#12 file (PFX/P12)
openssl pkcs12 -export -in self-signed.crt -inkey private-key.pem -out certificate.pfx -password pass:P@ssw0rd

When executing the command lines listed above, they all worked with no error messages, however, the "keyUsage" and "extendedKeyUsage" can never be inserted and these extensions never appear in the certificate. The outcome is error messages when trying to configure winrm with https to utilize this certificate, as shown above.

I wanna troubleshoot the issues ony-by-one.
Can anyone provide some hints about how to deal with the extensions for certificate using openssl 3?

Best Answer

The openssl x509 -req without -copy_extensions does not copy the extensions from the CSR, so you would have to add, e.g., -copy_extensions=copyall.

Also, you specify the -days 3650 in a wrong command; of which it complains, too.

Try to alter your workflow like this:

  1. Generate a private key (as is):

    openssl genpkey -algorithm RSA -out private-key.pem

  2. Generate a certificate signing request (CSR):

    openssl req -new -key private-key.pem -out certificatesigningrequest.pem \
  -subj "/C=US/ST=Colorado/L=aspen/CN=10.0.2.4/OU=myhostgroup/O=testinfra" \
  -addext "keyUsage=digitalSignature,keyEncipherment" \
  -addext "extendedKeyUsage=serverAuth,clientAuth"

    (Moved the -days 3650 to the next command.)

  3. Generate a self-signed certificate:

    openssl x509 -req \
  -days 3650 \
  -copy_extensions=copyall \
  -in certificatesigningrequest.pem \
  -signkey private-key.pem \
  -out self-signed.crt

    You can now test with openssl x509 -in self-signed.crt -text -noout that it has the extensions:

    Certificate:
    Data:
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication

  4. Combine the private key and certificate into a PKCS#12 file (PFX/P12) (as is):

    openssl pkcs12 -export -in self-signed.crt -inkey private-key.pem \
  -out certificate.pfx -password pass:P@ssw0rd
Related Topic