Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range
Other activities

Heartbleed security vulnerability - OpenSSL 1.0.1 -> See here

Install OpenSSL on a windows machine

You can use OpenSSL on a Windows machine to to proceed some cryptographic operations (generation of a private key, of a CSR, certificate conversion...).

  • Access the official website:
    Then download the "binary" program for Windows: > related > Binaries :

  • For cryptographic standard operations linked to certificates, the "Lite" version is sufficient. For certains versions of Windows (Windows 2000, windows XP...) you will have to install "Visual C++ 2008 Redistributables" as well.

Use OpenSSL on a Windows machine

The standard installation of OpenSSL under Windows is made on "C:\OpenSSL-Win32" and the executable is stored in the sub-repertory "bin". To execute the programm via the Windows xommand Prompt, provide the full path:
>C:\OpenSSL-Win32\bin\openssl.exe ( or >C:\OpenSSL-Win64\bin\openssl.exe )

a) Default configuration file: openssl.cnf

  • The version 1.0 of OpenSSL requires a "openssl.cnf" configuration file. The/usr/local/openssl repertory not being present on Windows machines.
    • a.1)You can download this example fileopenssl-dem-server-cert-thvs.cnf
      and save it in>C:\OpenSSL-Win32\ ( or >C:\OpenSSL-Win64\)
      and rename it "openssl.cnf"

    • a.2) Enter this command:
      set OPENSSL_CONF=c:\OpenSSL-Win32\openssl.cnf 

      set OPENSSL_CONF=c:\OpenSSL-Win64\openssl.cnf 

  • N.B.: In order to execute this command on a Windows machine you have to be connected in a session with administrator rights.

  • If Apache is installed on your machine, you can use this option:
    -config "C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf"

    If you still encounter the error:

    WARNING: can't open config file: /usr/local/ssl/openssl.cnf
    openssl:Error: '-config' is an invalid command.

    Execute the following command first:
     set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf

  • Concerning the version "OpenSSL v0.9.8t Light", no need for the opens.cnf file, a default configuration will be taken into account.

b)Generate the private key (.key) and the CSR (Certificate Signing Request)

To get a new certificate (or a renewal or a reissuance) you'll have to generate a new private key and a new CSR. To do so, we advise you to use our online wizard to execute the OpenSSL command with the adequate parameters.

Example of the command to execut:

>C:\OpenSSL-Win32\bin\openssl.exe req -new -newkey rsa:2048 -nodes -out -keyout -subj "/C=FR/ST=Calvados/L=CAEN/O=My organization/"

Save and keep safe the file containing the private key (.key) and only copy/paste the content of the .csr file in the order form.

Issues encountered on Windows while generating a CSR via one command

According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:

  • config or req is not recognized as an internal or external command
    Check the syntax and the quotes when executing your command.

  • Unable to load config info from /usr/local/ssl/openssl.cnf
    OpenSSL relies here on a Linux default arborescence.

Troubleshooting: execute simplified commands:

- To launch the command prompt, go to the start menu and execute "cmd".
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:

cd c:\
cd OpenSSL (ou cd OpenSSL-Win32)
cd bin

  • The private key is generated with the following command. Define a file name that suits you:
    C:\OpenSSL\bin\openssl.exe genrsa 2048 > site-file.key

  • then use this command to generate the CSR:
    C:\OpenSSL\bin\openssl.exe req -new -key site-file.key > site-file.csr

    or this one:
    C:\OpenSSL\bin\openssl.exe req -new -key site-file.key -config "C:\OpenSSL\openssl.cnf" -out site-file.csr

    On some platforms, theopenssl.cnf file that OpenSSL reads by default to create the CSR is not the right one or does not exist. In that case download ours and store it in C:\OpenSSL\openssl.cnf:

  • You'll be asked by the system to fill-in fields ; Fill them in and respect the instructions (more information onObtain a server certificate)

    Country Name (2 letter code) []: (FR for example)
    State or Province Name (full name) [Some-State]: (the name of your state in full letters)
    Locality Name (eg, city) []: (the name of your city)
    Organization Name (eg, company) []: (the name of your organization)
    Organizational Unit Name (eg, section) []: (let blank - advised - or provide a generic term such as "IT department")
    Common Name (eg, YOUR name) []: (the name of the site to be secured)
    Email Address []: (let blank)

    Let the other fields blank, they are optional.

You'll get 2 files: site-file.key and site-file.csr. Keep the private key file safe (site-file.key) and copy/paste the content of the site-file.csr file in the order form.
Warning: Do not ever give us or any other third part the private key file. It would then be compromised and the security of your site would be as well.

OpenSSL: cases of uses

OpenSSL is the toolbox mainly used by opensource software for SSL implementation.