In my attempts to understand how TLS certificates work on Windows, I haven't found a simple and comprehensive guide, but I've accomplished some necessary steps.
First, I succeeded in downloading the OpenSSL command as OpenSSL Light Stable from slproweb.com/products/Win32OpenSSL.html . Brief descriptions of the subcommands are at https://www.openssl.org/docs/man1.1.0/apps/ . I added the OpenSSL bin folder to System > Properties > Advanced > Environment Variables > System Variables > Path, so the command "OpenSSL" would work in an Admin Command Prompt window.
Next, I learned how to create a Certificate Authority (CA) for local use at deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ . This resulted in storing a created .CRT file in the machine storage location "Trusted Root Certification Authorities", which is used by local browsers when accessing HTTPS Web pages. This new CA certificate can be seen in Computer Management Console > Certificates (which might have to be added as a new MMC Snap-In) or View Certificates somewhere in the Options in any browser or by using the very useful certutil Windows command.
The specific commands used in an Admin Command Prompt (%windir%\system32\cmd.exe) for creating a local CA were:
- Choose a secret pass phrase and provide it whenever asked.
- Generate private key:openssl genrsa -des3 -out CA_NAME.key 2048
- Generate PEM certificate from the private key:openssl req -x509 -new -nodes -key CA_NAME.key -sha256 -days 1825 -out CA_NAME.pem
- Create root CA certificate:openssl x509 -outform der -in CA_NAME.pem -out CA_NAME.crt
- Install CA root certificate on local computer:Right-click CA_NAME.crt, choose Install CertificateCertificate Import Wizard > Local Machine > Browse... > Trusted Root Certification Authorities
Note: it is not clear to me which of these pass phrases and generated files will ever be needed again, and for what purposes. Clearly, the stored CA certificate will be used as the root for any further more specific certificates on the current computer.
Next, the question I ask here is how to create a server authorization certificate for one or more websites in the localhost domain (examples: localhost/MY_WEBSITE, localhost/FOLDER/FILE.html) based on the newly installed trusted CA certificate. This would permit using browser URLs such as https://localhost/MY_WEBSITE without errors, assuming the local server listens for such secure Web requests.
I have found several algorithms, but they all appear to be either obsolete or incomplete. It is clear that part of this algorithm must be the creation of a "SAN" file that contains the list of websites that will be authorized, and that another part must be a Certificate Signing Request (CSR).
Can someone please provide such an algorithm, a list of steps like the list above, for creating and installing a localhost website certificate based on an existing local CA certificate, created as above? Please be sure to test what you propose before answering.