I’ve seen lately many requests in our forums, and I personally received some, about how to generate and manage SSL certificates on Windows machines. It seems one of those topics that is always hot, especially these days with all the services available over public internet connections, and all the scary stories about security breaches.
Whatever “web” service you are willing to execute and publish over the internet, an SSL certificate can protect you as a provider, and your users connecting to it. It’s extremely important to deploy properly configured SSL certificates, yet many don’t do this. Why? Maybe because only Microsoft IIS (Internet Information Services) has an easy wizard to accomplish these tasks. But if you follow this quick tutorial, SSL certificate will be easy to install on any Windows machine, with our without IIS. If you are using or planning to use Veeam software solutions, you can use SSL certificates, for example, to protect the access for example to Enterprise Manager or Cloud Connect.
Several software products have the possibility to generate and use a self-signed certificate. This is a quick and easy method to complete deployments and to test them, but gives no security to users, since they cannot verify the certificate, and thus the authenticity of the service provider.
When a user connects to one of these services, this is the result when a self-signed certificate is used:
In order to properly protect the service and give its users guaranteed security, you should use a proper and generally recognized certificate, issued by one of the Certification Authorities recognized by internet browsers and operating systems.
Step 1: Create the Certificate Signing Request (CSR)
In a public key infrastructure (PKI), a certificate signing request (CSR or certification request) is the text created by the “applicant” (the Service Provider running the service in our case) to a Certificate Authority, that in return sends back a Signed Certificate. It’s like sending out an order, that is then processed following the instructions in it, and the ordered goods are finally delivered.
When creating the CSR, the applicant also generates a key pair and keeps the private key secret. The CSR contains information about the applicant, like the company information and the service DNS, which are signed using the applicant's private key. The CSR also contains the public key chosen by the applicant.
The first operation you should do is to decide the public “fully qualified domain name” the service will listen to; this will be the DNS name users will contact to use the service; just like opening a website. This name should match the one used in DNS and the one used in the CSR.
To obtain a real certificate, a real domain name must be used. So, in this tutorial, I used my blog’s domain virtualtothecore.com, and the FQDN is:
In order to generate the CSR, on the Windows Server, you need first to create with a text editor a .inf file. This file (it can be called request.inf) should contain a text like this example:
;----------------- request.inf -----------------
Subject = "CN= cc.virtualtothecore.com, OU=IT, O=Skunkworks, L=Milan, S=Lombardy, C=IT"; replace attributes in this line
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = "cc"
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
OID=220.127.116.11.18.104.22.168.1 ; this is for Server Authentication
The parts in red are to be changed with the specific values of your service, and some informations about your company. Skunkworks, by the way, is the name I gave to my home lab.
After the configuration file has been edited, it can be saved in a useful location like a dedicated folder c:\certificates. Then, open a command prompt with Administrator rights (right click and select “Run as Administrator”), move into c:\certificates and run this command:
certreq -new request.inf certreq.txt
If you open the certreq.txt file with a text editor, its content is like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
This is the generated CSR you will use.
Step 2: Obtain a Signed Certificate
With the Certificate Request correctly created, it’s time to get a signed certificate from a Certificate Authority. There are several online services where you can get a certificate, and some of them also offer free time-limited certificates that are useful to test real SSL connections at no expense.
The involved steps vary depending on the selected Certificate Authority, but they usually involve a validation of the CSR, a check against the registered domain via whois protocol to collect the registrant email address, and a verification procedure sent to this email to validate the authenticity of the request.
Whatever are the differences in the procedures, the final result is a Signed Certificate. It can usually be retrieved in text format or downloaded, and its content is going to be like this:
Step 3: Install the Signed Certificate
Back in the Windows server, create an empty text file in c:\certificates and call it cert.crt. Open it with a text editor and paste in it the certificate text received from the Certification Authority.
Then, open again a high privileges command prompt, go into the c:\certificates directory, and run this command:
certreq –accept cert.crt
Once the command is executed, the certificate is stored in the local Certificate Store of the Windows Operating System.
To manage this and future certificates, you can use the Certificates MMC (Microsoft management console), that gives you graphical access to the Certificate Store. When configuring the console, it only requires you to select “Computer account” and then “local computer”. Imported certificates like the one created in this tutorial is stored under Personal Certificates.
Step 4: A practical use with Veeam Cloud Connect
Let’s see now how this certificate can be used in a real senario. In Veeam Backup & replication, you can protect for example a Cloud Connect deployment. To use the certificate, go into the Cloud Connect Infrastructure node of the Veeam Console, and select “Manage Certificates”. First, you choose “Select certificate from Certificate Store”:
In the following screen, you select to browse the Certificate Store. Here, you expand the “My” tree, and you see the imported certificate. You select it.
The next step of the wizard also shows the Thumbprint of the certificate; this can be sent to customers for additional verifications.
Finished the wizard, the certificate is ready to be used for SSL cyphered connections.
When a user starts a connection to the service, this is the certificate that will be used:
As you can see, and as the user can verify, the certificate is issued to cc.virtualtothecore.com as requested, it’s valid, and the Certification Path is recognized; this means Windows is able to recognize the Certificate Authority that signed the certificate as valid, and accept its certificates.