OpenSSL - WARNING: can't open config file: C:/OpenSSL/openssl.cnf

After installing openssl, we have to set the path for its config file. Otherwise it will keep giving a warning message for any command we run. For example you are trying to run this command to generate private key.

openssl genrsa -out mycertificate.key 4096

It will give you following warning message:

WARNING: can't open config file: C:/OpenSSL/openssl.cnf
Generating RSA private key, 4096 bit long modulus
......................++
.....................................................++
unable to write 'random state'
e is 65537 (0x10001)

To fix this issue, we have to tell openssl where to find its .cnf file.

We can do this by one of the following ways.

• Before starting to create private keys or CSR from openssl command prompt, run this command to set is config file path.

  set OPENSSL_CONF=C:\OpenSSL\bin\openssl.cnf

  You can find this cnf file inside bin folder, at the root of the path where you have installed openssl.
• Set the same variable OPENSSL_CONF in the Windows environment variables, with the path to the config file at your system.
• You can use -config parameter to append the config file path with each command you run from openssl. i.e.

  openssl ....................  -config C:\OpenSSL\bin\openssl.cnf

• If you are using powershell, you can set environment variable like this:

  $env:OPENSSL_CONF = "C:\OpenSSL\bin\openssl.cnf"

OpenSSL - Generate Private Key, CSR and Certificate

OpenSSL is a robust, commercial-grade tool for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Its an open-source command line tool that is commonly used to:

• Generate private keys
• Create CSRs
• Install your SSL/TLS certificate
• Identify certificate information.

In this we will see how to generate Private Keys, CSRs and Certificate.

If you do not have openssl already installed, you can download it from https://www.openssl.org/source/

Lets start creating the CSR and then Self-Signed Certificate.

Generate a private key.

Run this command to generate private key:

openssl genrsa -out mycertificate.key 4096

Create a certificate signing request (CSR)

This would be a .csr file used to send to a Certificate Authority (CA) (e.g., DigiCert) to request a public SSL certificate, since we are generating a self-sgined certificate so we will not send the generated CSR to a Certificate Authority (CA), but will create our own certificate .cer file using openssl.

The CSR contains the common name and some other information. Here is the command you need to create CSR.

openssl req -sha256 -new -key mycertificate.key -out mycertificate.csr

After entering this command, you will be asked series of questions.

Here is the short description of questions.

• Country Name (2 letter code): The two-letter country code where the company is legally located.
• State or Province Name (full name): The state/province where the company is located.
• Locality Name (e.g., city): The city where the company is located.
• Organization Name (e.g., company): Company's legally registered name (e.g., MyCompany).
• Organizational Unit Name (e.g., section): The name of the department within the organization. (To leave it blank; simply press Enter.)
• Common Name (e.g., server FQDN): The fully-qualified domain name (FQDN) (e.g., www.mycompany.com).
• Email Address: Your email address. (To leave it blank; simply press Enter.)
• A challenge password: You password. (To leave it blank; simply press Enter).
• An optional company name: Optional Company Name (To leave it blank; simply press Enter).

Your answers to these questions will be embedded in the CSR.

From the above command, it will store the CSR information in mycertificate.csr file.

Generate a certificate (cer file) from CSR.

Run this command to create certificate(.cer) file from CSR.

openssl x509 -req -sha256 -days 365 -in mycertificate.csr 
       -signkey mycertificate.key -out mycertificate.cer

Using our previsouly generated key and CSR, here we are generating the certificate (.cer) file with validity of 365 days.

Convert .cer file to .crt file.

You can use the folllowing command to create .crt file from .cer file (.crt may need if you want to create a child certificate being signed from this mycertificate)

openssl x509 -inform PEM -in mycertificate.cer -out mycertificate.crt

Extract Public Key

If you want to extract the public key, you can use this command:

openssl rsa -in mycertificate.key -pubout > mycertificate.pub

It will generate the public key in mycertificate.pub file.

Generate PFX(or PKCS#12) file for the certificate.

The PFX or PKCS#12 format is a binary format for storing the certificate and private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12

openssl pkcs12 -export -out mycertificate.pfx -inkey mycertificate.key 
        -in mycertificate.cer

References:

• https://www.openssl.org/

Related Post(s):

• Sign Child Certificate with Self-Signed Root CA

Host Django site in IIS

Django is a free, open source web framework written in the Python language.

A web framework is a software framework that provide a standard way to build web applications. It allows web developers to focus on developing the business requirements rather than reinventing the wheel every time for standard, secure web applications.

In this post we will create a django project and host it in IIS.

It is best practice to provide a dedicated environment for each Django project you create, it allows you to run different versions of django for different applications on the same machine. There are many options to manage environments within the Python ecosystem, we will use the Python's default package venv for managing environments.

Create django project

Following are the steps you need to create a django project.

• To create a virtual environment for your project, open a new command prompt, navigate to the folder where you want to create your project and then run the following command:

  	python -m venv myproject_env
  

  In this exmaple, I have executed this command at c:\projects. Above command will create a virtual environment and you will see a new folder named myproject_env at the path where you executed this command.

• Next, we need to activate the environment, run this command from the command prompt(from same path).

  	.\myproject_env\Scripts\activate
  

  We have setup our virtual envrionemnt.

• Lets create a new directory named src.

  	mkdir src 
  

  We have src folder at c:\projects.

• Move to src folder

  	cd src
  

• and install django by using this command.

      pip install Django
  

  This will install the latest release of django.

• Create a new django project (from command prompt at src folder),

  	django-admin startproject myproject
  

• Execute manage.py runserver command, it will start the django site with development server at http://127.0.0.1:8000/

  	python manage.py runserver
  

• Enter this url in browser and you will see django's default page rendered successfully.

  

Install and enable wfastcgi

wfastcgi:

wfastcgi.py provides a bridge between IIS and Python using WSGI and FastCGI. It can be used with any Python web application or framework that supports WSGI.

• Run the following command to install wfastcgi

  	pip install wfastcgi
  

• After installing wfastcgi, we need to enable it using:

  	wfastcgi-enable
  

  Note that, you need to open command prompt will elevated privilege.

  If the above command is executed successfully, it will display the output similar to this:

  Applied configuration changes to section "system.webServer/fastCgi" 
      for "MACHINE/WEBROOT/APPHOST" 
      at configuration commit path "MACHINE/WEBROOT/APPHOST"
  

Host django site in IIS

We have a working django site. Following are the steps we need to configure to make django work under IIS.

• Copy the project's folder(the folder which contains the actuall source code, in our case myproject folder located at c:\projects\src) in wwwroot.

• Create a new website in IIS with name myproject.

  

  In our exmaple we are using port 82 for new website.

• Open Hanlder Mappings section.

  

• Click on Add Module Mapping link on the right side:

  

• In Add Module Mapping dialog box, enter * for Request Path.

  

• From Module dropdown, select FastCgiModule.

• In Executable textbox, enter the following path to python.exe and wfastcgi.py separated by | sign. In our case the path is:

  "c:\projects\myproject_env\scripts\python.exe
      |
      c:\projects\myproject_env\lib\site-packages\wfastcgi.py" 
  	

  You need to change the path as per your environment.

• Enter any desired name in Name field, in our case, it is Django Hanlder.

• Click the Request Restrictions button, it will open the following dialog.

  

• Uncheck the checkbox Invoke handler only if request is mapped to:

• Then click OK on both dialog boxes.

• It will ask you to create a FastCGI application.

  

  Click Yes.

• It creates a web.config file in the project's root folder which we have copied in wwwroot(C:\inetpub\wwwroot\myproject). Open the web.config file and update the content as below:

  	<?xml version="1.0" encoding="UTF-8"?>
  	<configuration>
  		<system.webServer>
  			<handlers>
  			<add 
                  	name="Django Handler" 
                  	path="*" verb="*" 
                  	modules="FastCgiModule" 
                  	scriptProcessor="c:\projects\myproject_env\scripts\python.exe
                                   |
                                   c:\projects\myproject_env\lib\site-packages\wfastcgi.py" 
                  	resourceType="Unspecified" 
                  	/>
  			</handlers>
  		</system.webServer>
  		<appSettings>
  		  <add key="WSGI_HANDLER" value="myproject.wsgi.application" />
  		  <add key="PYTHONPATH" value="C:\inetpub\wwwroot\myproject" />
  		  <add key="DJANGO_SETTINGS_MODULE" value="myproject.settings" />
  		</appSettings> 
  	</configuration>
  
  

  Make sure to change the project name and path as per your settings.

That's it. We have setup the django site in IIS. Navigate the follwoing link in browser:

	http://localhost:82/

You can change the port number if you have configured a different one when creating website in IIS.

And you will see the django default page.

If you get any error, check if you have given the proper rights on the project folder to DefaultAppPool.