Download OpenSSL 3.4.0 from my repository of binaries for Windows 64 bits, assembler optimized with C, and FIPS Enabled.
Follow the guide in the next url.
https://github.com/fochoa8/OpenSSL-Win-x64
My command is 16384 bits with RSA algorithm, and the encryption method is AES 256, the hash sum is SHA3 384. TLS_1.3_RSA_AES_256_GCM_X25519_SHA384 with Exchange of Keys in X25519, in it's version 1.3
Or get the ones You want, and link them in environment variables.
That's the latest version, compiled pretty nicely, supports more aes modes.
Use the next command on Terminal, to create a private key for Your IIS Certificate Request.
Terminal icon.
The command being issued, after a while it will ask for a password.
Specify it two times, same password. It'd better be a good alpha numeric with special symbols password, more than 12 characters, at least. Call me crazy, but better safe than sorry.
openssl genrsa -aes256 -f4 -out .\ca.key 16384
Got not a single idea why everybody sets this special key to be broken by a rainbow table attack, and specifies without even knowing -des3, instead of -aes256, des3 has been fully cracked and deprecated for example on [https://github.com/pyca/cryptography]
Here is an image about TripleDES.
About AES 256 strength. No it has bot been cracked, follow the legitimate source always.
openssl genrsa -aes256 -f4 -out .\ca.key 16384
In case You doubt this, use Camellia of 256 bits, instead.
openssl genrsa -camellia256 -f4 -out .\ca.key 16384
This is an alternative to randomize further on AES 256, but You would have to generate a random file, then shred it.
openssl genrsa -aes256 -f4 -rand .\.cargo\bin\cargo.exe -out .\ca.key 16384
The command above if You do not plan on shredding the file, then do not issue that command, since it can be used for partial recovery.
By using openssl.cnf in it's default version.
You are safe with 4098 at least, 8192 bits is already the double, and 16384 the triple.
openssl genrsa -aes256 -f4 -out .\ca.key 4096
openssl genrsa -aes256 -f4 -out .\ca.key 8192
openssl genrsa -aes256 -f4 -out .\ca.key 16384
More about this command, refer to openssl manual.
[https://docs.openssl.org/1.0.2/man1/genrsa/]
I specify -f4 which is to base of 65537, there is base -f1 which is to base 3 (do not use this at all costs), and the key is 16384 bits long. To make it more strange and adjust the algorithm to my needs. Also I specify a file for more random generated private key.
After that click Windows key or icon, and write IIS
Click on the next icon.
On the root of IIS. Double click on Server Certificates.
Now click on Create Certificate Request.
On the data of the certificate specify exactly what You got on openssl.cnf file. In my case.
Then establish it to Microsoft RSA SChannel Cryptographic Provider, set the key length to the bits of the private key which You desire the most. My private key is set to 16384 bits. Which is way too much for a certificate to break, therefore way slower. Set it to 4096 bits, that is more than enough.
After that save the request in a txt file. See carefully where You save it.
I save the file as requestcert.txt
These are the partial contents of the txt file.
Go back to the Terminal.
After writing two times the password.
The ca.key file will be created.
Now issue this command specifiying on folder the configuration given by yourself in a openssl.cnf file
Get the file on this repository [https://github.com/fochoa8/IIS-Certificate-By-Request/blob/master/openssl.cnf]
Download it and place it in a folder where You create Your own certificates.
In my case.
openssl req -x509 -new -nodes -sha384 -days 365 -key .\ca.key -out .\IISRootCA.crt -config .\openssliis.cnf
Here is the command that follows.
openssl pkcs12 -export -out .\RootCA.pfx -inkey .\ca.key -in .\IISRootCA.crt
Double click RootCA.pfx and open with Shell Crypto Extensions.
In this dialog click Next.
After that the same, click Next.
I use these settings normally.
Click Next. Then select second option and click Browse... select, Trusted Root Certificate Authority folder, as certificate import.
Now click Finish.
It will ask if You want to install the certificate, click Yes.
Now open the file again, do the same steps but in the Browse... step, click on Personal. Then click Next, then Finish.
After that repeat the step, except on first dialog, You are going to select Local Machine.
Then fill this with the same password You entered on last command.
After that place the certificate on Folder named Web Hosting.
Go back to IIS Server now, restart the server.
Now click on Server Certificates.
After that You will see the certificate right there.
Now go to sites, and click on Default Web Site. And click on Bindings...
Then click on Add...
Here I only enable TLS in version 1.3 making it harder to crack.
Specify Your own computer name hostname. Mine is razerblade.
Select the SSL Certificate you created.
Check timestamp and expiration date.
If all is working. Press OK. Now Restart the server of Default Web Site.
Then click on the links on IIS on port 443.
This is how it looks fully working.
And finally the default site.
As well it does not hurt for further securin the device and port 443, which is the only one I expose.
And now press Windows key, and write Notepad, right click it and press on Run as Administrator...
And now edit hosts file, stored in: C:\Windows\System32\drivers\etc\
Write Your own hostnames as You wish.
Always use top security for Your production servers.
Let's Encrypt option I never use it, but depends on each person, the end user is the one who will be subject to said decisions.
I made this tutorial so as to show You how to create a total custom Certificate on IIS made with OpenSSL.
Thanks, Fernando Ochoa Olivares. MIT Researcher, and winner of Fire Hydrant Award.