As part of my slow-moving efforts within my company to get WinRM enabled across the enterprise (14,000 computers…) I’ve had to do a bit of testing to make sure I can properly secure it. Much of that testing is around setting the execution level and making sure nothing outside of what I or my team has signed is able to be executed. To do that, I needed to be able to make my own, self-signed certs to test what it would be like with scripts coming from outside. Naturally, I chose OpenSSL I don’t have access to create Microsoft certs with our company tools and I don’t want to bug (or wait on) someone else to make them for me when I need them. I’m not patient like that. So, in typical geek fashion I set out to figure out how to do it on my own.
First I’ll start of by saying that 99% of what you find on the internet on how to do it will not work on Windows. Those instructions will work beautifully on Linux but if the instructions only tell you to make modifications to the config file, then those instructions are not for you. I went through several different sites giving values to set inside the config but it never worked. Every cert I ended up with was not valid for code signing! I ended up spending time going through the official OpenSSL documention and figuring out the method I ended up with. It’s not hard, it just uses a method most don’t know about or haven’t had a need to use. You’ll have to make changes to your main config file, create a supplemental one, and I throw in a batch file to automate it. I am using OpenSSL 1.0.1e that was released on 11 Feb 2013 on a Windows 7 machine.
Make sure the v3_req section in your openssl.cfg matches the one below:
You can take away the email under nsCertType but there isn’t a reason to. You can also add any additional types you may want this cert to do, just don’t take anything away that has Code, Signature or obj references in them.
You then want to create a NEW .cfg file and put the exact same properties as above (without the [ v3_req ] header). You can call it anything you want, just save it somewhere logical. I keep mine in the OpenSSL directory with the openssl.cfg.
Below is the batch script I wrote to automate the process of creating a new self-signed CA and a code signing cert.
I know some of it looks redundant, and it is, but I found it all to be necessary to get it to work. I suspect it’s a bug with the Windows version of SSL since it should read it all from the openssl.cfg file. It does on Linux. I may have missed a specific scenario of testing config information in places, and maybe you can leave it out in one place, but this isn’t a long or complicated process so I see no reason to go back and fully verify.
I don’t go into detail on all of the parameters that are used. I don’t understand enough to do that (although I’m pretty sure I have it figured out) and I am by no means an expert on encryption or SSL. I hope this all works for you. If anyone has any website they recommend that gives a great, clear, and thorough explanation of how encryption (or specifically SSL) works I would really appreciate you linking it in the comments!
A few more notes:
You must be logged in to post a comment.