Problem:
Recently I needed to create a number of certificates for non-Microsoft systems such as ESXi hosts, NAS/SAN units and some security applications. The problem was that most of these systems did not have a facility for generating a CSR. I needed to create the CSR in OpenSSL sign the certificate with a Microsoft CA and then generate a certificate.
Solution:
1. Download open SSL from here.
2. Use the below as your template for the certificate, changing the parts in red to match your systems:
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:NAS1, IP:10.20.30.253, DNS:NAS1.mydomain.com [ req_distinguished_name ] countryName = UK stateOrProvinceName = London localityName = London 0.organizationName = MyCompany organizationalUnitName = MyCompany commonName = NAS1.mydomain.com
3. Paste the above into the C:\OpenSSL-Win32\bin\openssl.cfg file (after removing the existing contents).
4. Open a command prompt in the Open SSl directory and run the following command to create the certificate request:
openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
5. Convert to RSA with this command:
openssl rsa -in rui-orig.key -out rui.key
6. Go to the Microsoft CA and open a command prompt. Put the rui.csr file in a folder you can access on the CA server.
7. Run the following command:
certreq -submit -attrib "CertificateTemplate:WebServer" rui.csr
8. Select the CA:
9. Save the certificate as rui.cert
10.Login to your device or application where you need to import the certificate.
11. Open the rui.cert file in notepad and copy the contents to the certificate section.
12. Open the rui.key file in notepad and copy to the private key section.
13. Open the root CA certificate in notepad and copy to the intermediate certificate section.
14. Click apply and the certificates will be uploaded and you will have a secure connection.