Saturday, October 24, 2009

Key Notes for Complie, Install, and Using OpenSSL on Windows

Ref Docs: Generate Private Key | Generate Certificate | config | openssl | openssl req | openssl ca

I downloaded three versions of OpenSSL and have successfully compiled both versions 0.9.8h and 0.9.8k. But the compilation failed on the latest beta version 1.0.0-beta3. In this document, I will describe how I compile, install and use OpenSSL into IIS on Windows. Note that the part using/configure OpenSSL is missing in this article. I haven't completed it in my writing. I was distracted by something else while I was working on this article. All my notes are still in my local computer. After a while, I completely forget about it. Since it is just for my own notes or references, I decide to leave it as-is. If I upgrade my OpenSSL, I may update this info as needed.

Tools needed:
  • Cygwin, or GNU tar and gzip: If you don't have cygwin, I would recommend to install it. You will find a lot of useful UNIX utilities such as tar and gzip. For openssl purpose, you need both tar and gzip to unpack the openssl-<version>.tar.gz file. Don't use WinZip, WinRAR or similar to uncompress the file. Or most likely you will have problems in compilation. You can use GNU tar and gzip instead if you have them. But I have some troubles using them.
  • MinGW: It is optional unless you compile openssl under cygwin with error(s). MinGW can compile source under a DOS command prompt. For a unknown reason, I cannot compile openssl under cygwin but I can compile it under DOS with MinGW. I also cannot compile it with VC++ either.


The followings are the steps I was taking to get the job done and MinGW is the compiler.
  1. Uncompress the file using tar and gzip. You can do it under either DOS or Cygwin Bash Shell enviornment.
    tar zxvf openssl-x.x.x.tar.gz

    With the z option, tar will automatically involve gzip to work together. Thus you must have gzip around and they both must sit in the same directory.
  2. After the file extraction, look for INSTALL.W32 file for the detailed Windows compilation instructions
  3. Ensure MinGW's bin directory is in the PATH environment. Or you can do the following at the command prompt, assuming your MinGW installation directory is at c:\mingw.
    set PATH=c:\mingw\bin;%PATH%"
  4. Change directory into OpenSSL-x.x.x directory, for example,
    cd c:\openssl-0.9.8k
  5. Type the following command to compile:
  6. The compilation will take a while. When it is done successfully, it will end with the following two lines:
    Generating the DLLs and input libraries
    Done compiling OpenSSL
  7. Two DLL's files ( libeay32.dll and libssl32.dll ) are found in the root directory (e.g., c:\openssl-0.9.8k). MinGW also produced two additional directories: out and outinc.

    openssl.exe and other executable files are found in out.

    outinc contains all the headers files.

After Compilation

There is no actual openssl installation. As openssl claims, if you compile it under cygwin, the compiled version will be placed under cygwin directory at /usr/local/ssl. In my case (because I use MinGW for compilation) , I have to repackage the files and the directories myself.
  • Create the following directory tree:
    openssl dir
  • Copy files (assuming the above step is created at c:\):
         copy out\*  c:\openssl\bin
         copy outinc\openssl\*  c:\openssl\include\openssl
         copy out32dll\libeay32.dll c:\openssl\lib
         copy out32dll\libssl32.dll c:\openssl\lib
         copy apps\openssl.cnf  c:\openssl\config

Master Configuration File Location

The master openssl.cnf is located inside the apps directory.

The openssl configuration file name is openssl.cnf, which is expected to be found at /usr/local/ssl/ (unix file path style). If you are using cygwin, this ( /usr/local/ssl/openssl.cnf) should be under your cygwin directory. Unfortunately, I cannot compile it under cygwin. Again, I am using mingw as my compiler. With it, the master configuration file is located inside the apps directory.

Possible Issue

When you answer Y to sign the certificate/request again, you may have the following error:
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

Solution: You cannot have two certificates that look the same. To fix this, there are two options:
  1. You can remove the line in the database (index.txt) or replace the index.txt with an empty one. Or
  2. you can revoke the previous certificate, e.g, openssl ca -revoke myCA.cer

1 comment:

  1. Exactly what I needed, when I was trying to re-do my expired certificate. Thanks!!