Scenario
I want to add a proper SSL certificate to my PowerSchool test server which is running inside my local domain (AD Joined) using open SSL.
Assumption
- domain name : school.local
- powerschool test server name : abc001 (abc001.school.local)
- internal local microsoft server action as local CA : ca.school.local
Export Internal Root CA with Private Key from Microsoft Certificate
In order to validate the certificate for the PowerSchool test server within the local domain, we need to get the rootCA certificate and key
- Log on to the Domain Controller / certificate server that has the target Certificate Authority installed.
- Open the Certificate Authority MMC (run certsrv.msc).
- Right-click the CA name in the tree (“npgftl-FTLRNPGDC1-CA” in the example), and select All Tasks > Back up CA.
- On the Certification Authority Backup Wizard screen click Next
- On the Items to Back Up page, select Private key and CA certificate, enter a location in which to save the file, and click Next.
- On the Select, a Password page, enter a password and confirm it. This password will be required when processing and importing the key into another server.
- Click Next and then Finish. When the process is complete, you will have a .p12 file (example CA_name.p12) file in the folder you specified. This file contains both the public key and private key for the certificate.
- From the backup location get the rootCA.p12 file and to extract public/private key from a PKCS#12 container (Generate .key and .crt from PKCS12 file)
# PKCS#1 Private key
openssl pkcs12 -in rootCA.p12 -nocerts -out rootCA-key.pem
# Certificates
openssl pkcs12 -in rootCA.p12 -clcerts -nokeys -out rootCA-cert.pem
Generate configuration file ‘abc001.school.local.csr.cnf’
Create a CSR (Certificate Signing request) using a notepad similar as below
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=BH
ST=Riffa
L=Riffa
O=ABC School Bahrain
OU=PowerSchool
emailAddress=admin@abc.com
CN= abc001.school.local
Create a v3.ext file with a list of local SAN domains v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1=abc001.school.local
DNS.2=172.168.10.160
Create a private key and certificate-signing request (CSR) for the abc001.school.local certificate
openssl req -new -sha256 -nodes -out abc001.school.local.csr
-newkey rsa:2048 -keyout abc001.school.local.key
-config abc001.school.local.csr.cnf
Issue a certificate via the root SSL certificate and the CSR created earlier
openssl x509 -req -in abc001.school.local.csr -CA rootCA-cert.pem
-CAkey rootCA-key.pem -CAcreateserial -out abc001.school.local.crt
-days 500 -sha256 -extfile v3.ext
Convert generated PKCS8 Format Key to Traditional RSA key format
PowerSchool will only accept RSA based key.
openssl rsa -in abc001.school.local.key -text
-out abc001.school.local_rsa.key
#Traditional RSA key format
------ BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
# PKCS8 Format
------ BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
Resources
- [How to Create Trusted Self-Signed SSL Certificates and Local Domains for Testing](https://medium.com/better-programming/trusted-self-signed-certificate-and-local-domains-for-testing-7c6e6e3f9548)
- [How to Export Internal Root CA with Private Key from Microsoft Certificate](https://support.citrix.com/article/CTX224970)
- [Create Your Own Self Signed X509 Certificate](https://www.youtube.com/watch?v=1xtBkukWiek)
- [Create & sign SSL/TLS certificates with openssl](https://www.youtube.com/watch?v=7YgaZIFn7mY)
# Additional Notes
# Merge Key (pem) and Certificate (Pem) to a single file (pkcs12)
openssl pkcs12 -export
-in my-cert.pem -inkey my-key.pem
-out my-pfx-cer.pfx