Generating an SSL certificate on Windows without IIS

From: http://luke.breuer.com/time/item/Generating_an_SSL_certificate_on_Windows_without_IIS/634.aspx
Generating an SSL certificate on Windows without IIS
Luke Breuer
2009-09-30 22:26 UTC
tags:  ssl -certificate  certificate -signing -request  sql -server
Introduction This article describes how to use  OpenSSL, free software, to create  certificate signing requests (CSRs) for SSL certificates, submit them to  certificate authorities(CAs), and then process the response into a certificate file that can be imported into the Windows certificate store. 
Almost every website that describes how to generate SSL certificates on Windows assumes the use of IIS, or Windows'  Certificate Services. IIS does have a nice GUI for generating CSRs and then processing the response from the CA into a certificate Windows can use, but it is not always installed (SSL is used for more than just serving web pages). Windows' Certificate Services might not be used, especially for smaller businesses. I needed to create a certificate, signed by GoDaddy, for use by SQL Server. 
OpenSSL OpenSSL is useful for many SSL-related things; in our case, we use it to:
generate a CSR (to be send to the CA) and a private key
combine the response from the CA with the private key to create a certificate file Windows will import
I got most of my information from  Useful OpenSSL Commands. 
Install OpenSSL I installed OpenSSL  from SourceForge; I find that the first download labeled "setup" works well. 
Generate a CSR Here's an example command that works on 64-bit Windows (notice the  (x86) ).  >openssl req -new -newkey rsa:2048 -keyout hostkey.pem -nodes -out hostcsr.pem -config "c:\program files (x86)\gnuwin32\share\openssl.cnf"  
You'll note that the directions I linked to above do not specify the  -config  switch. It turns out that if you do not, OpenSSL will error out; this is because there is no default location for config files on Windows. Here is the error: 
Unable to load config info from /usr/local/ssl/openssl.cnf
After you run the above, you'll be prompted to enter in information for the CSR. If using SQL Server, you need to enter the fully qualified domain name (FQDN) of the server as the  Common Name . When prompted for  'extra' attributes , do 
not specify a challenge password , or you will get something like the following error: 
Error adding attribute 
4516:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc failure:./crypto/asn1/asn1_lib.c:381: 
4516:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc failure:./crypto/x509/x509_att.c:317: 
problems making Certificate Request
If all went well, you will now have  hostkey.pem  and  hostcsr.pem  in the working directory.  hostcsr.pem  is what you send to the CA; often you'll just copy the contents into some text field in a web form.  hostkey.pem  contains your private key and should never be transmitted to a CA. 
Generate a PK12 certificate If all went well, you should have gotten a response from your CA with something like a  .crt  file. I put in the equivalent of  some.example.com  as the  Common Name  and got the file  some.example.com.crt  from GoDaddy. Drop that file in the same directory as hostkey.pem , which you created when generating the CSR. Windows cannot directly use these two files; instead, you need to convert them into a PK12 file like so:  >openssl pkcs12 -export -in some.example.com.crt -inkey hostkey.pem -out some.example.com.p12  
Import the certificate into Windows Now you're ready to import the certificate ( some.example.com.p12 ). The following covers importing a certificate to be used by SQL Server; you might want to tweak
where you import the certificate for other purposes.
To open the Certificates snap-in, follow these steps:
To open the MMC console, click Start, and then click Run. In the Run dialog box type:  mmc
On the Console menu, click Add/Remove Snap-in....
Click Add, and then click Certificates. Click Add again.
You are prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account.
Select Local computer, and then click Finish.
Click *Close in the Add Standalone Snap-in dialog box.
Click OK in the Add/Remove Snap-in dialog box. Your installed certificates are located in the Certificates folder in the Personal container.

Use the MMC snap-in to install the certificate on the server:
Click to select the Personal folder in the left-hand pane.
Right-click in the right-hand pane, point to All Tasks, and then clickImport....
Follow the wizard.

If you are setting up SQL Server encryption, all the above should fit nicely into  this article.