OpenSSL (TLS) Cheat Sheet

Environment

OpenSSL Light 1.0.1f (64-bit)
Windows Server 2008 R2 (64-bit)
Microsoft Visual C++ 2008 Redistributable.

Installing the OpenSSL (TLS) Toolkit on a Windows Server

OpenSSL is an implementation of the Transport Layer Security (TLS) cryptographic protocol used by many applications, most notably the Apache HTTP server. TLS’s predecessor was named Secure Sockets Layer (SSL), and is the name by which most people still refer to this protocol. OpenSSL contains a toolkit for generating certificates as well as a library of cryptography routines.

The OpenSSL project provides source code only. In order to easily install OpenSSL in its already-compiled binary form, the OpenSSL project recommends that the OpenSSL for Windows package be used. The OpenSSL for Windows installer was created by a company called Shining Light Productions and comes in two flavors. The Light version contains just the binaries needed to run applications and compile programs against. The “full” version contains the same binaries in the Light version as well as 25 or so test programs.

The OpenSSL for Windows Light installer will place the following binaries on your system:

openssl.exe—The OpenSSL toolkit program.
libeay32.dll and ssleay32.ddl—The OpenSSL libraries, used for programming.

Note: The OpenSSL for Windows (a/k/a Win32 OpenSSL Installation Project) requires that the system have the Microsoft Visual C++ 2008 Redistributable software.

Installation

Download the OpenSSL for Windows Light installer and run it. Take note that there are 32- and 64-bit versions.
If your system does not have the Microsoft Visual C++ 2008 Redistributable software installed then the installer will complain about this and you will have to install that software first and then re-run the OpenSSL installer.
Click the Next button in the Welcome screen.
Accept the license agreement, then click the Next button.
Specify the directory you wish to install OpenSSL for Windows to, then click the Next button. Note that the default location is C:\OpenSSL-Win64 and not the Program Files directory.
Specify the Start Menu folder name to make the OpenSSL shortcuts available in, then click the Next button.
Indicate whether you would like the OpenSSL binaries placed in the Windows system directory or in the OpenSSL binaries directory (see step 5 above). For a server, it makes the most sense to place the binaries in the Windows system directory so that applications can easily locate them. However, this option does not seem to work and the binaries always end up in the OpenSSL directory, so be sure to modify your system PATH variable to inculde this directory. Click the Next button.
Click the Install button.
Click the Finish button.

Configuration

To make sure that OpenSSL has been installed properly, open a command prompt and change your directory to the directory you installed OpenSSL to, then type this command:

cd/d c:\openssl-win64\bin
openssl version

You should see something like this:

OpenSSL 1.0.1f 06 Jan 2014

Also, make sure that you are running the correct openssl.exe program (i.e., make sure the program is not in another directory listed in your PATH):

where openssl

If this command does not show the correct openssl.exe program then you may have to change your system’s PATH variable.

Define Config Variable

Create the system environment variable OPENSSL_CONF to point to the config file. For example, set it to:

C:\OpenSSL-Win64\bin\openssl.cfg

After setting this environment variable, verify that it is correct by opening a new command prompt and typing:

type %OPENSSL_CONF%

Directories

Create directories for the SSL certificates. I like to create a directory named ssl, for example G:\admin\ssl, with two subdirectories:

G:\admin\ssl\certs

G:\admin\ssl\private

..........

Next Steps

Read the documentation for the openssl command line tool and the documentation for the library routines.

References

Setting up OpenSSL to Create Certificates

Comments