Working with 'openssl' utility.
'openssl' utility provides various useful commands for performing different opertions on certificates and private key files. Using the 'req' command we can create self-signed certs and certificate requests.
Creating a selfsigned certificate using openssl.
The 'req' command of openssl utility can be used to create self signed certs.
root@bala-VirtualBox:/home/bala/# openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.pem -subj '/O=Company/OU=Department/CN=www.example-ca.com'
Generating a 1024 bit RSA private key
.....................++++++
.........++++++
writing new private key to 'server.key'
Running the above commands creates two files the public certificate(server.pem) and private certificate / private key(server.key)
root@bala-VirtualBox:/home/bala/MyTrials/sslcerts# ls
server.key server.pem
Let us look at what the options used in the above command mean:
-x509 identifies that a certificate is required, rather than just a certificate request (see below).
-days 365 sets the certificate to expire in a year. You may want to extend this period. Make a note of the expiry date so that you can renew it when necessary!
-sha1 specifies that SHA1 encryption should be used.
-newkey rsa:1024 sets the key as 1024 bit RSA.
-nodes specifies no passphrase. (Otherwise apache would ask for a password everytime it restarts).
-keyout and -out specify where to store the certificate and key. The key should be root-readable only; the certificate can be world-readable, and must be readable by the user that Apache runs as.
-subj flag sets the company name, department name, and the web site address. If you leave these out, you'll be prompted for them. The CN must be the same as the address of your web site, otherwise the certificate won't match and users will receive a warning when connecting. Make sure you don't use a challenge password.
What does the public certificate and private key files look like.
The above command created the public certificate and private key's in PEM format which is a Base64 encoded version of the certificate and the key's content.
root@bala-VirtualBox:/home/bala/MyTrials/sslcerts# cat server.pem
-----BEGIN CERTIFICATE-----
MIICVjCCAb+gAwIBAgIJAKK+9tt+i9P+MA0GCSqGSIb3DQEBBQUAMEQxEDAOBgNV
BAoMB0NvbXBhbnkxEzARBgNVBAsMCkRlcGFydG1lbnQxGzAZBgNVBAMMEnd3dy5l
eGFtcGxlLWNhLmNvbTAeFw0xMzA3MzExNDUwMTNaFw0xNDA3MzExNDUwMTNaMEQx
EDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAsMCkRlcGFydG1lbnQxGzAZBgNVBAMM
End3dy5leGFtcGxlLWNhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ro1wW5/+ID5OaJNbG/ecMWnHZgcDIJED2uTCIDbe5tIubPaMs2Tj1GJ3hiNrsC0Y
IY7SY5USoTeN0Q0exb0DRP4X3hh1Y3HLtF8yCh/aUhXqxcd8kSLKLdIX8vKcOLLF
mXWk2wqFPXkHatZBFZw4aBfmPA164cznGqI5ELNlkSsCAwEAAaNQME4wHQYDVR0O
BBYEFAu63UbEF+ea6/teGZGvtB8DqYtsMB8GA1UdIwQYMBaAFAu63UbEF+ea6/te
GZGvtB8DqYtsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAe+tDrTNe
/oj77pI2o3k8u29HX/cxhxZpDzvvbVP+ezGL2KRweHsJg9J1d40dpoCZFaHDCHga
GLxI8ecC/lWZYOr/yJcCurF0+zAXsGRZ3d35xF/ITP1enKCb+XaDIoOP/LKNglwk
qeHouhABGWyTENS+X8rT5TqpyNy69IuFkZs=
-----END CERTIFICATE-----
root@bala-VirtualBox:/home/bala/MyTrials/sslcerts# cat server.key
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAK6NcFuf/iA+TmiT
Wxv3nDFpx2YHAyCRA9rkwiA23ubSLmz2jLNk49Rid4Yja7AtGCGO0mOVEqE3jdEN
HsW9A0T+F94YdWNxy7RfMgof2lIV6sXHfJEiyi3SF/LynDiyxZl1pNsKhT15B2rW
QRWcOGgX5jwNeuHM5xqiORCzZZErAgMBAAECgYEAni7hFreL9a5hIhX/5/1hl8oT
gJt0MwwX4UOTxNvU7nqkxew8n8obSXoedPoeeh6zkp26fbI3mtAcfcmVDH94uIqk
hOkq7AFWbkDmFCAwJB6CJWdaLdicP3Qrzpyz7emq0qsHtjxlFS4OHBuPtthTh8fJ
Ey0rsA+B2VTI056NIaECQQDefpHSIm1omTY1U8LQI1AnM76nihkgCl5y0xRNrSAb
07aVP604DdPRcsMFMJ9CZ46JtlR58YrwytDBfaVJfS3xAkEAyNamaUPZFyGFKYjx
83drQBt/7kNERywjoWBz98YHLnzDGuc4BSa6U+oLUMCoUSiskyl3CfPuPIxAm5RT
oI+E2wJAWwZ1Kf8ju7NS1iZagUSxOhiVW33IIa+cTGXG3LCDfl7zR8QxXclqazoE
R09JGKW9TuHlVa5YJYMUPNTmllY8QQJBAKjarza5cH/eEtME7EdCE83mUPzFWVZt
add3/IhI2ijfhDnORG8wTF/Y2oKeN+VkSRPBPPAFQjttv7QOVPEdORkCQGexGcqN
qVgmGIf9LGaumvJzEiNwKmRW/s1/ypqQNLr3LuPw9P96BlbFQCLFWbB1nfCfZ0q5
ObHpOPjys7zWy6M=
-----END PRIVATE KEY-----
To actually look at what information is contained in these files, we can use -text option of the openssl commands 'x509' and 'rsa' respectively.
root@bala-VirtualBox:/home/bala/MyTrials/sslcerts# openssl x509 -in server.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a2:be:f6:db:7e:8b:d3:fe
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Company, OU=Department, CN=www.example-ca.com
Validity
Not Before: Jul 31 14:50:13 2013 GMT
Not After : Jul 31 14:50:13 2014 GMT
Subject: O=Company, OU=Department, CN=www.example-ca.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ae:8d:70:5b:9f:fe:20:3e:4e:68:93:5b:1b:f7:
9c:31:69:c7:66:07:03:20:91:03:da:e4:c2:20:36:
de:e6:d2:2e:6c:f6:8c:b3:64:e3:d4:62:77:86:23:
6b:b0:2d:18:21:8e:d2:63:95:12:a1:37:8d:d1:0d:
1e:c5:bd:03:44:fe:17:de:18:75:63:71:cb:b4:5f:
32:0a:1f:da:52:15:ea:c5:c7:7c:91:22:ca:2d:d2:
17:f2:f2:9c:38:b2:c5:99:75:a4:db:0a:85:3d:79:
07:6a:d6:41:15:9c:38:68:17:e6:3c:0d:7a:e1:cc:
e7:1a:a2:39:10:b3:65:91:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0B:BA:DD:46:C4:17:E7:9A:EB:FB:5E:19:91:AF:B4:1F:03:A9:8B:6C
X509v3 Authority Key Identifier:
keyid:0B:BA:DD:46:C4:17:E7:9A:EB:FB:5E:19:91:AF:B4:1F:03:A9:8B:6C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
7b:eb:43:ad:33:5e:fe:88:fb:ee:92:36:a3:79:3c:bb:6f:47:
5f:f7:31:87:16:69:0f:3b:ef:6d:53:fe:7b:31:8b:d8:a4:70:
78:7b:09:83:d2:75:77:8d:1d:a6:80:99:15:a1:c3:08:78:1a:
18:bc:48:f1:e7:02:fe:55:99:60:ea:ff:c8:97:02:ba:b1:74:
fb:30:17:b0:64:59:dd:dd:f9:c4:5f:c8:4c:fd:5e:9c:a0:9b:
f9:76:83:22:83:8f:fc:b2:8d:82:5c:24:a9:e1:e8:ba:10:01:
19:6c:93:10:d4:be:5f:ca:d3:e5:3a:a9:c8:dc:ba:f4:8b:85:
91:9b
-----BEGIN CERTIFICATE-----
MIICVjCCAb+gAwIBAgIJAKK+9tt+i9P+MA0GCSqGSIb3DQEBBQUAMEQxEDAOBgNV
BAoMB0NvbXBhbnkxEzARBgNVBAsMCkRlcGFydG1lbnQxGzAZBgNVBAMMEnd3dy5l
eGFtcGxlLWNhLmNvbTAeFw0xMzA3MzExNDUwMTNaFw0xNDA3MzExNDUwMTNaMEQx
EDAOBgNVBAoMB0NvbXBhbnkxEzARBgNVBAsMCkRlcGFydG1lbnQxGzAZBgNVBAMM
End3dy5leGFtcGxlLWNhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ro1wW5/+ID5OaJNbG/ecMWnHZgcDIJED2uTCIDbe5tIubPaMs2Tj1GJ3hiNrsC0Y
IY7SY5USoTeN0Q0exb0DRP4X3hh1Y3HLtF8yCh/aUhXqxcd8kSLKLdIX8vKcOLLF
mXWk2wqFPXkHatZBFZw4aBfmPA164cznGqI5ELNlkSsCAwEAAaNQME4wHQYDVR0O
BBYEFAu63UbEF+ea6/teGZGvtB8DqYtsMB8GA1UdIwQYMBaAFAu63UbEF+ea6/te
GZGvtB8DqYtsMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAe+tDrTNe
/oj77pI2o3k8u29HX/cxhxZpDzvvbVP+ezGL2KRweHsJg9J1d40dpoCZFaHDCHga
GLxI8ecC/lWZYOr/yJcCurF0+zAXsGRZ3d35xF/ITP1enKCb+XaDIoOP/LKNglwk
qeHouhABGWyTENS+X8rT5TqpyNy69IuFkZs=
-----END CERTIFICATE-----
root@bala-VirtualBox:/home/bala/MyTrials/sslcerts# openssl rsa -in server.key -text
Private-Key: (1024 bit)
modulus:
00:ae:8d:70:5b:9f:fe:20:3e:4e:68:93:5b:1b:f7:
9c:31:69:c7:66:07:03:20:91:03:da:e4:c2:20:36:
de:e6:d2:2e:6c:f6:8c:b3:64:e3:d4:62:77:86:23:
6b:b0:2d:18:21:8e:d2:63:95:12:a1:37:8d:d1:0d:
1e:c5:bd:03:44:fe:17:de:18:75:63:71:cb:b4:5f:
32:0a:1f:da:52:15:ea:c5:c7:7c:91:22:ca:2d:d2:
17:f2:f2:9c:38:b2:c5:99:75:a4:db:0a:85:3d:79:
07:6a:d6:41:15:9c:38:68:17:e6:3c:0d:7a:e1:cc:
e7:1a:a2:39:10:b3:65:91:2b
publicExponent: 65537 (0x10001)
privateExponent:
00:9e:2e:e1:16:b7:8b:f5:ae:61:22:15:ff:e7:fd:
61:97:ca:13:80:9b:74:33:0c:17:e1:43:93:c4:db:
d4:ee:7a:a4:c5:ec:3c:9f:ca:1b:49:7a:1e:74:fa:
1e:7a:1e:b3:92:9d:ba:7d:b2:37:9a:d0:1c:7d:c9:
95:0c:7f:78:b8:8a:a4:84:e9:2a:ec:01:56:6e:40:
e6:14:20:30:24:1e:82:25:67:5a:2d:d8:9c:3f:74:
2b:ce:9c:b3:ed:e9:aa:d2:ab:07:b6:3c:65:15:2e:
0e:1c:1b:8f:b6:d8:53:87:c7:c9:13:2d:2b:b0:0f:
81:d9:54:c8:d3:9e:8d:21:a1
prime1:
00:de:7e:91:d2:22:6d:68:99:36:35:53:c2:d0:23:
50:27:33:be:a7:8a:19:20:0a:5e:72:d3:14:4d:ad:
20:1b:d3:b6:95:3f:ad:38:0d:d3:d1:72:c3:05:30:
9f:42:67:8e:89:b6:54:79:f1:8a:f0:ca:d0:c1:7d:
a5:49:7d:2d:f1
prime2:
00:c8:d6:a6:69:43:d9:17:21:85:29:88:f1:f3:77:
6b:40:1b:7f:ee:43:44:47:2c:23:a1:60:73:f7:c6:
07:2e:7c:c3:1a:e7:38:05:26:ba:53:ea:0b:50:c0:
a8:51:28:ac:93:29:77:09:f3:ee:3c:8c:40:9b:94:
53:a0:8f:84:db
exponent1:
5b:06:75:29:ff:23:bb:b3:52:d6:26:5a:81:44:b1:
3a:18:95:5b:7d:c8:21:af:9c:4c:65:c6:dc:b0:83:
7e:5e:f3:47:c4:31:5d:c9:6a:6b:3a:04:47:4f:49:
18:a5:bd:4e:e1:e5:55:ae:58:25:83:14:3c:d4:e6:
96:56:3c:41
exponent2:
00:a8:da:af:36:b9:70:7f:de:12:d3:04:ec:47:42:
13:cd:e6:50:fc:c5:59:56:6d:69:d7:77:fc:88:48:
da:28:df:84:39:ce:44:6f:30:4c:5f:d8:da:82:9e:
37:e5:64:49:13:c1:3c:f0:05:42:3b:6d:bf:b4:0e:
54:f1:1d:39:19
coefficient:
67:b1:19:ca:8d:a9:58:26:18:87:fd:2c:66:ae:9a:
f2:73:12:23:70:2a:64:56:fe:cd:7f:ca:9a:90:34:
ba:f7:2e:e3:f0:f4:ff:7a:06:56:c5:40:22:c5:59:
b0:75:9d:f0:9f:67:4a:b9:39:b1:e9:38:f8:f2:b3:
bc:d6:cb:a3
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCujXBbn/4gPk5ok1sb95wxacdmBwMgkQPa5MIgNt7m0i5s9oyz
ZOPUYneGI2uwLRghjtJjlRKhN43RDR7FvQNE/hfeGHVjccu0XzIKH9pSFerFx3yR
Isot0hfy8pw4ssWZdaTbCoU9eQdq1kEVnDhoF+Y8DXrhzOcaojkQs2WRKwIDAQAB
AoGBAJ4u4Ra3i/WuYSIV/+f9YZfKE4CbdDMMF+FDk8Tb1O56pMXsPJ/KG0l6HnT6
Hnoes5Kdun2yN5rQHH3JlQx/eLiKpITpKuwBVm5A5hQgMCQegiVnWi3YnD90K86c
s+3pqtKrB7Y8ZRUuDhwbj7bYU4fHyRMtK7APgdlUyNOejSGhAkEA3n6R0iJtaJk2
NVPC0CNQJzO+p4oZIApectMUTa0gG9O2lT+tOA3T0XLDBTCfQmeOibZUefGK8MrQ
wX2lSX0t8QJBAMjWpmlD2RchhSmI8fN3a0Abf+5DREcsI6Fgc/fGBy58wxrnOAUm
ulPqC1DAqFEorJMpdwnz7jyMQJuUU6CPhNsCQFsGdSn/I7uzUtYmWoFEsToYlVt9
yCGvnExlxtywg35e80fEMV3Jams6BEdPSRilvU7h5VWuWCWDFDzU5pZWPEECQQCo
2q82uXB/3hLTBOxHQhPN5lD8xVlWbWnXd/yISNoo34Q5zkRvMExf2NqCnjflZEkT
wTzwBUI7bb+0DlTxHTkZAkBnsRnKjalYJhiH/SxmrprycxIjcCpkVv7Nf8qakDS6
9y7j8PT/egZWxUAixVmwdZ3wn2dKuTmx6Tj48rO81suj
-----END RSA PRIVATE KEY-----
Creating certificate chains.
We will use the above created self-signed certificate to create a certificate chain.
First create a certificate signing request (csr).
#> openssl req -new -days 365 -sha1 -newkey rsa:1024 -nodes -keyout client.key -out client.csr -subj '/O=Company/OU=Department/CN=www.example-client.com'
Generating a 1024 bit RSA private key
......++++++
...............++++++
writing new private key to 'client.key'
-----
#> cat client.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBhzCB8QIBADBIMRAwDgYDVQQKDAdDb21wYW55MRMwEQYDVQQLDApEZXBhcnRt
ZW50MR8wHQYDVQQDDBZ3d3cuZXhhbXBsZS1jbGllbnQuY29tMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQDO8uP/6oKzRaEJNdMCj/CbiJ0hcXq9WOGfp2lr1i5g
5IJmXiyiAbt2pKMWr/mU8+C0KoRd9ki+S5tVmTV9PHP0CwlKVdYGv6GWhw6/ZrUv
CUF/2GVtM2bQUPyXbloR+r/Y5o6oxHWbRdcPi+0fytz5SIglebjltmoUhP8UqUeG
yQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEALLfrFNqbOfpY50RCR2aSRe5gi1Bf
Vj2RlvqkuWSbNV57MYZMn75bFMWerR3PJPmiFpbj2HnW+UWfKbYepVIqSWl6fio8
InXN379DWzJebqCvHiVHZRg/Fz4HG4WwqEAkfCSuq7UpSHVvQgPoqtnH1bylK9Zm
Ti0eDr8oqeuWxCg=
-----END CERTIFICATE REQUEST-----
Now we will use the self-signed cert as the root cert to sign the above csr.
#> openssl x509 -req -CA server.pem -CAkey server.key -set_serial 1 -in client.csr -out client.pem -outform PEM
Signature ok
subject=/O=Company/OU=Department/CN=www.example-client.com
Getting CA Private Key
#> openssl x509 -in client.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Company, OU=Department, CN=www.example-ca.com
Validity
Not Before: Aug 13 13:57:55 2013 GMT
Not After : Sep 12 13:57:55 2013 GMT
Subject: O=Company, OU=Department, CN=www.example-client.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Converting PEM format to DER format.
The following command converts the certificates and private key files from PEM format to DER format. DER format is just the binary version(Base64 decoded) of the PEM format.
#> openssl x509 -in server.pem -inform PEM -out server.der -outform DER
#> openssl rsa -in server.key -inform PEM -out server.key.der -outform DER
writing RSA key
#> ls
server.der server.key server.key.der server.pem
If you open the .der file the contents will be in binary form, unlike the .pem files which contained Base64 encoded content.
Adding passphrase to the private key.
The private key files created so far were not password protected. We can add passphrase to existing private key files. For example, the following command createa new private key file "server.key.2" with the passphrase "changeit" from the existing file "server.key"
#> openssl rsa -des3 -in server.key -inform PEM -out server.key.2 -outform PEM -passout pass:changeit
writing RSA key
#> openssl rsa -in server.key.2 -text
Enter pass phrase for server.key.2:
Creating PKCS12 file.
A "pkcs12" file format allows you to have both the public certificate and the private key within a single file. 'pkcs12' command allows you to create pkcs12 files from existing certs and private keys.
# > openssl pkcs12 -export -in server.pem -inkey server.key -out server.pkcs12
Enter Export Password:
Verifying - Enter Export Password:
#> ls
server.der server.key server.key.2 server.key.der server.pem server.pkcs12
Separating public certificates from pkcs12 file.
#> openssl pkcs12 -in server.pkcs12 -clcerts -nokeys -out server_cert_from_pkcs12_file
Enter Import Password:
MAC verified OK
# >ls
server_cert_from_pkcs12_file server_key_from_pkcs12_file server.pem server.pkcs12
When prompted for password enter the same passphrase given during the creation of pkcs12 file. -clcerts option tells to output only client certificates. -nokeys option tells not to output any private keys. By default the certficate will be created in PEM format.
Separating private key from pkcs12 file.
#> openssl pkcs12 -in server.pkcs12 -nocerts -out server_key_from_pkcs12_file -nodes
Enter Import Password:
MAC verified OK
# >ls
server_cert_from_pkcs12_file server_key_from_pkcs12_file server.pem server.pkcs12
No comments:
Post a Comment