Security Certificate Generation

Finding information on security certificates and what you need to do is not very straight forward. You can use OpenSSL (information on OpenSSL is available at their web site click here) to generate the certificate request. OpenSSL runs on multiple platforms, however it takes quite a bit of knowledge to figure out what you are doing. I use OpenVPN (for additional information click here) to create security connections to my home network. OpenVPN works really well and has good documentation and is easy to install. OpenVPN uses OpenSSL to generate it's certificates and has batch files that make the certificate generation rather easy.
I modified those batch files to generate the certificate request, sent the certificate request to CAcert and got my security certificate and then used another batch file to take the CAcert certificate, my certificate and generate a PKCS#12 certificate for email clients. These certificates work for both Mozilla Thunderbird and Microsoft Outlook and most likely other email clients. These two I am personally aware of as I use one at home and the other at work and have separate certificates generated for each, based on email address. For information on installing the certificates with email clients click here.

Certificate Generation using OpenVPN and being your own CA

Install OpenVPN (for directions click here) and make sure you have set yourself up as a CA (Certificate Authority)

  • Switch to OpenVPN\easy-rsa
  • Run vars
  • Create certificate running build-key ClientName
  • Note: Typically certificates generated by you where you are your own CA are only used internally to an organization and not shared externally, such as for VPN connections. If you are trying to use them for email signatures most people may not accept the CA certificate as valid.

Generate a Certificate Request to send to a CA

Here is the batch file I use to generate a certificate request (.csr) to send to a CA (Certificate Authority).

  • @echo off
  • echo build-csr.bat
  • cd %HOME%
  • rem build a request for a cert that will be valid for two years
  • openssl req -days 730 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
  • echo Submit %KEY_DIR%\%1.csr to CAcert for your certificate
  • rem delete any .old files created in this process, to avoid future file creation errors
  • del /q %KEY_DIR%\*.old

PKCS#12 File Generation

In cryptography, PKCS#12 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a file format commonly used to store X.509 private keys with accompanying public key certificates, protected with a password-based symmetric key, and is the successor to PFX from Microsoft. It has received heavy criticism of being one of the most complex cryptographic protocols, but nevertheless remains the only standard way today to store private keys and certificates in a single encrypted file.
PKCS#12 formt files have an extension of .p12.

Here is the batch file I use to generate the PKCS#12 file. The parameter passed to the batch file is the base name of the .key and .crt files used to build the file. This batch files also expects to have a CA certificate called CAcert.crt since I use it to generate certificates supplied to me by CAcert. You can easily modify the process to use another CA's certificate.

  • @echo off
  • echo build-pkcs12.bat Build a Pkcs12 file with certificate from CAcert
  • cd %HOME%
  • rem convert the key/cert and embed the ca cert into a pkcs12 file.
  • openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\CAcert.crt -out %KEY_DIR%\%1.p12
  • rem delete any .old files created in this process, to avoid future file creation errors
  • del /q %KEY_DIR%\*.old
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License