问题

How to create valid certificate using OpenSSL for using HTTPS binding in IIS ??

It must work in Firefox and all other browsers as well I am using IIS 10 server.
And Firefox v70, Firefox Dev edition v72b5, Chrome v79, Edge v44. I want the HTTPS binding to work in all of these browsers.

回答1:

Ok. I think, I found out the answer,

A certification authourity have to be created to use HTTPS binding and hereby all our certificates will be signed from it. For that download a suitable version of OpenSSL from here: Win32/Win64 OpenSSL Installer for Windows And Install it. Then, for fast and easier working a few script file can be made,

In the folder (in which the script is running) add a folder named #. All the certicate files will be stored there.

for making Root Certificate's create `RootCA.bat`,

openssl genrsa -des3 -out #/RootCA.key 4096
openssl req -x509 -new -nodes -sha256 -days 730 -key #/RootCA.key -out #/RootCA.crt -config rootca.csr
openssl pkcs12 -export -out #/RootCA.p12 -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pem -inkey #/RootCA.key -in #/RootCA.crt
openssl pkcs12 -export -out #/RootCA.pfx -inkey #/RootCA.key -in #/RootCA.crt

And, For RootCA's details create RootCa.csr,

[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=CodeSigner
CN=*.codesigning.in

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.codesigning.in

When you Run RootCA.bat it will create a certificate using RootCa.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a RootCA.csr and 'RootCA.key' is also created).

Now, for servers certificate create `server.bat`,

openssl req -new -sha256 -nodes -out #/server.csr -newkey rsa:2048 -keyout #/server.key -config server.csr
openssl x509 -req -in #/server.csr -CA #/RootCA.crt -CAkey #/RootCA.key -CAcreateserial -out #/server.crt -days 365 -sha256 -extfile v3.ext
openssl pkcs12 -export -out #/server.p12 -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pem -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt
openssl pkcs12 -export -out #/server.pfx -inkey #/server.key -in #/server.crt -chain -CAfile #/RootCA.crt

And, Of course for details create a server.csr file,

[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=Developer
OU=Test & Learn
CN=*.localhost.in

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.localhost.in

And, Another file named v3.ext (I don't quite know about it),

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.localhost.in

Again When you Run server.bat it will create a certificate using server.csr's details and Export a .pem, .pfx and .p12 along with certificate file (a server.csr and server.key is also created).

Note: You will have to modify the server.csr for your custom domains (default by, its gonna create for dev.localhost.in domain).

!!! Warning: You Have to remember the passwords you enter. And You might modify the RootCA.csr and RootCA.bat as your need. (to increase expiration, modify deatails etc.)

Adding to Windows,

As i use windows i only know about importing to windows. To add in windows simply click on the RootCA.p12 file and import it. Remember, you have to trust the RootCA in Trusted Root Certification Authourity And in Intermediate Certification Authourity.

All the browsers Except for firefox will trust the site. WORK Done (Partially)!!

You can check it using mmc in the run. And then snap-in certificates using Ctrl + M.

Adding to FireFox,

Because FireFox uses it own Certificate Managers and doesn't pay any heed to systems certificates. So, You will have to manually have to import the RootCA.crt for trust And all the inheriting certificates will be trusted. As Follows,