Generate private RSA key without password
Remove password from the key
Make CSR, based on server.key private key
Selfsign CSR
Generate a self-signed certificate with private key in one command
Generate your own CA
Decode CSR
Examine the components if you're curious
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially read your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
Most CSRs are created in the Base-64 encoded PEM format. This format includes the ”—–BEGIN CERTIFICATE REQUEST—–” and ”—–END CERTIFICATE REQUEST—–” lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor.
openssl genrsa -out server.key 1024Remove password from the key
openssl rsa -in server.key -out server.key.insecureMake CSR, based on server.key private key
openssl req -new -key server.key -out server.csrSelfsign CSR
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtGenerate a self-signed certificate with private key in one command
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crtGenerate your own CA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crtDecode CSR
openssl req -in server.csr -noout -textExamine the components if you're curious
openssl rsa -noout -text -in server.keyopenssl req -noout -text -in server.csropenssl rsa -noout -text -in ca.keyopenssl x509 -noout -text -in ca.crt
CSR generation process
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially read your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
Most CSRs are created in the Base-64 encoded PEM format. This format includes the ”—–BEGIN CERTIFICATE REQUEST—–” and ”—–END CERTIFICATE REQUEST—–” lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor.
CSR contents
- Common Name - The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt.
- Organization - The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Google Inc. foe example.
- Organizational Unit - The division of your organization handling the certificate. IT Department for example.
- City/Locality - The city where your organization is located.
- State/County/Region - he state/region where your organization is located. This shouldn't be abbreviated.
- Country - The two-letter ISO code for the country where your organization is location. RU for example.
- Email address - An email address used to contact your organization.
- Public Key - The public key that will go into the certificate. The public key is created automatically.
X509 certificate formats
DER (Distinguished Encoding Rules - method for encoding a data object) - The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms
PEM - The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain ”—–BEGIN CERTIFICATE—–” and ”—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.
P7B/PKCS#7 - The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain ”—–BEGIN PKCS7—–” and ”—–END
PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
PFX/PKCS#12 - The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
Convertion
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a PEM file to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys to only output the certificates.
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates.
Checking
Check a Certificate Signing Request (CSR)
openssl req -text -noout -verify -in CSR.csr
Check a private key
openssl rsa -in privateKey.key -check
Check a certificate
openssl x509 -in certificate.crt -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
Check an SSL connection. All the certificates (including Intermediates) should be displayed
openssl s_client -connect https://www.paypal.com:443
No comments:
Post a Comment