...
Because we are part of the TERENA Certificate Service, we have access to 'free' SSL certificates from SURFnet.
Generating key material
Note that I did this on a host with OpenSSL. Also possible on the Windows host but I will write about that laterone of our Ubuntu system because those already have OpenSSL. The same things are perfectly possible on Windows as well.
| Code Block |
|---|
openssl req -new -keyout server.key -out server.csr -subj /CN=hayek.terena.org/ |
I submitted the signing request to the SURFnet web site, and after a few hours, and jumping through the Domain Control Validation hoops, I got a signed certificate (cert-11988-hayek.terena.org.pem) back, and the chain, which consists of 3 certificates concatenated into one file (chain-11988-hayek.terena.org.pem).
Then I combined all certificates into one file, and created a PFX from these materialsit:
| Code Block |
|---|
cp server.pem all.pem cat chain.pem >> all.pem openssl pkcs12 -export -inkey server.key -in all.pem -out server.pfx |
Adding the key and certificates
Copy this After copying the PFX file to the Windows server, and run mmc, then add I ran mmc and added the Certificates snap-in. When it asks asked for who to manage certificates, select an account that the SQL Server has access to.In our case that was I selected the "Local System" account, and we were because I was running the snap-in as Administrator, so all is well.
ExpandThen expand: Console Root -> Certificates (Local Computer) -> Personal.
Right-click -> All Tasks -> Import. Now navigate Navigated to the pfx file and import imported it. Include all extended properties.
I kept Mark this key as exportable unchecked, as I already have the key material in PEM format in a different place.
We Since we don't need this, and any future malicious export attempt attempts will be more difficult this way.
...