Creating SSL/TLS certificate for using HTTPS


YSoft SafeQ Job Service and YSoft SafeQ Client v3 in Server mode require SSL/TLS certificate to secure the connection. You can use one of the following ways to create the certificate.

Creating a self-signed SSL/TLS certificate

You can create a self-signed SSL/TLS certificate in PKCS #12 format by using New-SelfSignedCertificate command in Powershell.

Self-signed certificates are not by default trusted by operating systems. If you really want to use a self-signed certificate, it must be imported into operating systems that contain applications, which are required to trust the certificate.

How to create a self-signed SSL/TLS certificate

  1. Open Powershell.

  2. In the following script, replace FQDN with the Fully Qualified Domain Name of your server (if you want to supply multiple FQDNs, separate them with commas).

    New-SelfSignedCertificate -DnsName FQDN -CertStoreLocation cert:\LocalMachine\My
  3. Run the script (it will generate the self-signed certificate and import it into \LocalMachine\My certificate store.

  4. Copy the Thumbprint of the generated certificate.

  5. Create a password that will be used for the exported PKCS #12 certificate by running the following command (replace "123456" with your password!)

    $CertPassword = ConvertTo-SecureString -String “123456” -Force –AsPlainText
  6. Export the certificate from the certificate store by running the following command (replace "CertificateThumbprint" with the Thumbprint that you copied in step 4 and "C:\certificate.pfx" with the path where you want to export the certificate)

    Export-PfxCertificate -Cert cert:\LocalMachine\My\CertificateThumbprint -FilePath C:\certificate.pfx -Password $CertPassword

Requesting SSL/TLS certificate using Certificate Signing Request (CSR)

You can create a Certificate Signing Request using certreq tool in Windows. certreq requires a configuration file, which describes the requested certificate.

The generated Certificate Signing Request can be used to create and sign a certificate by the certificate authority. The entity that manages the certificate authority should send you back a certificate in PKCS #12 format (.pfx file).

How to create a Certificate Signing Request (CSR) with certreq tool

  1. Store following configuration into the settings.inf file

    certreq setting file
    [Version]
     
    Signature="$Windows NT$"
     
    [NewRequest]
     
    Subject = "CN=ServerFQDN; O=OrganizationName; L=Location; C=CountryCode"
    ; Replace ServerFQDN with the Fully Qualified Domain Name of the server where YSoft SafeQ services will be installed.
    ; Replace OrganizationName with the organization name
    ; Replace Location with the location
    ; Replace CountryCode with the ISO-3166-2 Country Code https://en.wikipedia.org/wiki/ISO_3166-2
    ; Example: "CN=safeq.ysoft.com; O=YSoft Corporation, a.s.; L=Brno; C=CZ"
    X500NameFlags = 0x40000000
    KeySpec = 1
    KeyLength = 2048
    ; KeyLength is usually chosen from 2048, 3072, or 4096.
    HashAlgorithm = SHA256
    ; Algorithms earlier than SHA-2 are not secure and should not be used.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0
     
    [EnhancedKeyUsageExtension]
     
    OID=1.3.6.1.5.5.7.3.1 ; this is for server TLS
     
    ; If you want to supply multiple Fully Qualified Domain Names, you can do it using Subject Alternatives Names in certificate
    ; To include those in the Certificate Signing Request, uncomment following lines(remove '; ' from the beginning) and add every FQDN into separate '_continue_' record
    ;
    ; [Extensions]
    ; 2.5.29.17 = "{text}"
    ; _continue_ = "dns=FQDN1&"
    ; _continue_ = "dns=FQDN2&"
    ; _continue_ = "dns=FQDN3&"
  2. Replace the value in Subject with your own values.

  3. (optional) If you need to supply multiple FQDNs, you can do so by editing the [Extensions] section of the configuration. For more information see certreq | Microsoft Docs.

  4. Run following command in Powershell. It will open a file picking dialog.

    certreq -new
  5. Select the settings.inf file in the dialog.

  6. Now, select a location where the Certificate Signing Request will be stored. You can store it e.g. as certificate.req file.