Install OpenSSL on a windows machine (2024)

Heartbleed security vulnerability - OpenSSL 1.0.1 -> See here

To perform certain cryptographic operations (creation of a private key, generation of a CSR, conversion of a certificate ...)on a Windows computer we can use the OpenSSL tool.

OpenSSL v1.X.X (recommended)

• Go to the following site: Link to OpenSSL download site


• Scroll down the page and choose the version (in .EXE):
  • Win64 OpenSSL v1.X.X: if your operating system is 64 bits
  • Win32 OpenSSL v1.X.X: if your operating system is 32 bits


• For some versions of Windows systems, you may need to install "Visual C++ 2008 Redistributable".

OpenSSL v3.X.X

You can also choose to use openSSL v3.X.X, however you may encounter issues with:

• reading a PFX generated with the version 1.1.1 (keybot)
• generating PFX and then import them into Windows (encryption not recognized by most Windows)

• Go to this website: Download link for OpenSSL


• Go down in the page and choose the version (in .EXE):
  • Win64 OpenSSL v3.X.X: if your operating system is 64 bits
  • Win32 OpenSSL v3.X.X: if your operating system is 32 bits

Use OpenSSL on a Windows machine

By default, OpenSSL for Windows is installed in the following directory:

• if you have installed Win64 OpenSSL: C:\Program Files\OpenSSL-Win64\
• if you have installed Win32 OpenSSL: C:\Program Files (x86)\OpenSSL-Win32\

To launch OpenSSL, open a command prompt with administrator rights.

b)Generate the private key (.key) and the CSR (Certificate Signing Request)

As part of obtaining (or renewing or reissue) a certificate, you will have to generate a private key and the associated CSR. To do this we advise you to use our online wizard to execute the OpenSSL command with the adequate parameters.
Open a command prompt with Administrators rights (right click - Run as ...). Go to the "bin" subdirectory from the OpenSSL installation folder.

Example of the command to execut:

openssl req -new -newkey rsa:2048 -nodes -out www.mywebsite.com.csr -keyout www.mywebsite.com.key -subj "/C=FR/ST=Calvados/L=CAEN/O=Mon organisation/CN=www.mywebsite.com"

Save and keep safe the file containing the private key (.key, and copy / paste only the contents of the file .csr file in the order form.

Issues encountered on Windows while generating a CSR via one command

According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:

• config or req is not recognized as an internal or external command
  Check the syntax and the quotes when executing your command.


• Unable to load config info from /usr/local/ssl/openssl.cnf
  OpenSSL relies here on a Linux default arborescence.

Troubleshooting: execute simplified commands:

Reminder:
- To launch the command prompt, go to the start menu and execute "cmd".
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:

cd c:\cd "Program Files" (or cd "Program Files(x86)")cd OpenSSL-Win64 (or cd OpenSSL-Win32)cd bin

• The private key is generated with the following command. Define a file name that suits you:
  

  openssl genrsa 2048 > website-file.key

  
  
• then use this command to generate the CSR:
  

  openssl req -new -key website-file.key > website-file.csr

  
  or this one:
  

  openssl req -new -key website-file.key -config "C:\Program Files\OpenSSL-Win64\openssl.cnf" -out website-file.csr

  On some platforms, theopenssl.cnf that OpenSSL reads by default to create the CSR is not good or nonexistent.In this case you can download ourand place it, for example, in C:\Program Files\OpenSSL-Win64\openssl.cnf:

  • For DigiCert or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
  • For TBS X509 or Sectigo server certificates: openssl-dem-server-cert.cnf


• You'll be asked by the system to fill-in fields ; Fill them in and respect the instructions (more information onObtain a server certificate)

  Country Name (2 letter code) []: (FR for example)
  State or Province Name (full name) [Some-State]: (the name of your state in full letters)
  Locality Name (eg, city) []: (the name of your city)
  Organization Name (eg, company) []: (the name of your organization)
  Organizational Unit Name (eg, section) []: (let blank - advised - or provide a generic term such as "IT department")
  Common Name (eg, YOUR name) []: (the name of the site to be secured)
  Email Address []: (let blank)

  Let the other fields blank, they are optional.

So you get 2 files: site-file.key and site-file.csr. Keep the private key file (site-file.key) securely, then copy / paste the content of the site-file.csr file into the order form at TBS CERTIFICATES.
Warning: Never send us or a third party the private key (site-file.key) otherwise the security of your site may no longer be ensured.

OpenSSL: cases of uses

OpenSSL is the toolbox mainly used by opensource software for SSL implementation.

• Generate your command line withour CSR creation assistant tool.
• Generate a CSR for Apache
• Generate a CSR for OpenSSL-based servers
• Install a certificate for OpenSSL-based servers


• Create a pkcs12 from a X509 certificate and its PEM private key
• Convert a pkcs12 into individual files for Apache or any other OpenSSL-compatible products
• Openssl: how to make sure the certificate matches the private key?


• Other OpenSSL uses
• Accented domain names (FQDN / SANs)

• OpenSSL manual