|
What appears below are my personal notes I wish were part of my long-term memory but don't always seem to fit. I strive for accuracy and clarity and appreciate feedback. If applying any of this information anywhere, confirm for youself the correctness of your work as what you see below might very well be, albeit unintentionally, incorrect or misleading. These notes are here as an easy reference for myself.
Information worthy of a more formal presentation will appear elsewhere than this "Scratch" area. - ksb
openssl command [command_opts] [command_args]For example to write the base64 encoding of foo.bin into the file foo.bin.b64:
$ openssl base64 -in foo.bin -out foo.bin.b64 $ cat foo.bin.b64 8dLS+STphqyG/fezbJS83zK+7BU=Leaving off the -out arg would cause the output to go to stdout. To decode, add a -d arg after the base64 and switch the -in and -out args.
$ openssl OpenSSL> version OpenSSL 0.9.7b 10 Apr 2003 OpenSSL> enc -des3 -in foo.txt -out foo.3des enter des-ede3-cbc encryption password: Verifying - enter des-ede3-cbc encryption password:Any command can be issued from the command line or interactively. Shown here is the version command and encrypting with 3des, note how the password is prompted for to do the encryption.
OpenSSL> ? openssl:Error: '?' is an invalid command. Standard commands asn1parse ca ciphers crl crl2pkcs7 [...] Message Digest commands (see the `dgst' command for more details) md2 md4 md5 mdc2 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc [...] OpenSSL>
$ openssl genrsa 64 Generating RSA private key, 64 bit long modulus .+++++++++++++++++++++++++++ .+++++++++++++++++++++++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MD4CAQACCQClqJrZ5drj1QIDAQABAghg5v+tBTyVAQIFANmgzDMCBQDC3gfXAgRs TsJRAgUAtjKa6QIESg35rQ== -----END RSA PRIVATE KEY-----Though you probably want to: write it to a file (-out rsapriv.pem), encrypt that private key with a passphrase (-passout pass:polythenepam), write it to a file and use more than 64 bits of encryption strength (1025):
$ openssl genrsa -out rsapriv.pem -des3 -passout pass:polythenepam 1024 Generating RSA private key, 1024 bit long modulus .++++++ ....++++++ e is 65537 (0x10001) $ cat rsapriv.pem -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8374E5AFAE4D2013 HMooa7BxGOdSQyJp9/yQO1yIz/4jjP3XQuVQj0YmSgMEkMnSDECBXzgfSawMuxdD [...] TjaW1BvN0/M7bOVgy48CmZXxnK/7hqgd8SXyGQJhzGGZFYupM8aKZA== -----END RSA PRIVATE KEY-----(pem = "Privacy Enchanced Email", though it now identifies a file format for holding keys and certificates.)
$ openssl rsa -in rsapriv.pem -passin pass:polythenepam writing RSA key -----BEGIN RSA PRIVATE KEY----- MEACAQACCQDnyrwVcj/7TQIDAQABAghs2jdy0hY2/QIFAPPEYoMCBQDzbIHvAgUA 1Yb9/wIFAPAdSpUCBQCGRHtA -----END RSA PRIVATE KEY-----
$ openssl rsa -in rsapriv.pem -passin pass:polythenepam -pubout -out rsapub.pem writing RSA key $ cat rsapub.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDk2nNPy4LTCLdfiZlCWL+w+pDq cfEX2z+78HdW9vQwDfTskNewaLTT+OLQji1jyaCKcJ20VkYLMrEHBR0OaqdK/cV8 1RN5H10a/OMKNkRxwECRIb2k+wnSLue0KHT9EYGqTDrAUFYoyqIIu4pM1mWljMK+ R8N2/9/06/WpzhL05QIDAQAB -----END PUBLIC KEY-----
$ openssl sha1 foo.txt SHA1(foo.txt)= f1d2d2f924e986ac86fdf7b36c94bcdf32beec15Or using the dgst command and passing -sha1 as a flag
$ openssl dgst -sha1 foo.txt SHA1(foo.txt)= f1d2d2f924e986ac86fdf7b36c94bcdf32beec15Where sha1 could be any of: md5, md4, md2, sha1, sha, mdc2 or ripemd160
$ openssl dgst -sha1 -binary -out foo_sha1.bin foo.txt-binary and -out <file> are args to the dgst command
Here's how to create your very own 'mini' certificate authority (CA) and then generate certificates signed by that CA. ('mini' in that it doesn't have all the certificate management bells and whistles of a commercial CA tool. The certs created this way are just as valid and strong as those created with a 'real' CA.)
$ openssl req -x509 -out ca_cert.pem -newkey rsa:1024 -keyout ca_priv_key.pem -days 365
This command will prompt you for a bunch of information (which could be read from a -config file) and then creates two files: ca_priv_key.pem to hold CA's private key and ca_cert.pem the CA's self-signed certificate. (This steps only needs to be done once per period defined by the -days arg.)
| req | => | The command used since you are, in effect, requesting a certificate. |
| -x509 | => | Make this a self-signed certificate rather than an actual certificate request. We want this since we are creating a new root CA. |
| -out ca_cert.pem | => | The file to write the CA's certificate to. |
| -newkey rsa:1024 | => | Generate a new 1024-bit RSA key along with this this new certificate request. Since we aren't using a config file all DN information will be prompted for. To use an existing private key replace this with -new -key file.key. |
| -keyout ca_priv_key.pem | => | The file to write the new CA private key to, (encrypted with promted for passphrase). |
| -days 365 | => | Make this cert good for 365 days. |
To look at the cert just created in a human-readable format use the command:
$ openssl x509 -in ca_cert.pem -text -noout
| x509 | => | Command to read/write x509 certificates. |
| -in ca_cert.pem | => | The file holding the certificate. |
| -text | => | Output the certificate in a human readable text format. |
| -noout | => | Don't output the encoded form of the request. |
Note that the Issuer and the Subject are the same, and that in the X509v3 extensions section the Subject and Authority Key Identifiers are identical.
$ openssl req -out ksb_cert_req.pem -new -keyout ksb_priv_key.pem
This command will also promt you for a bunch of information (which could be read from a -config file) and then creates two files: ksb_priv_key.pem to hold the new user's private key and ksb_cert_req.pem to hold the request for the certificate.
| req | => | Command to read/write certificate requests. |
| -out ksb_cert_req.pem | => | The file to write the certificate request to. |
| -new | => | A new certificate is being requested so gather all the DN information (the absence of a -key file.key argument means a new private key will be generated too). |
| -keyout ksb_priv_key.pem | => | The file to write the user private key to, (encrypted with promted for passphrase). |
If you want to look at the request use the command:
$ openssl req -noout -text -verify -in ksb_cert_req.pem
| -noout | => | Don't output the encoded form of the request. |
| -verify | => | Verify the request (by checking signature). |
| -in ksb_cert_req.pem | => | The file to read the certificate request from. |
$ openssl x509 -req -in ksb_cert_req.pem -CA ca_cert.pem -CAkey ca_priv_key.pem -CAcreateserial -out ksb_cert.pem -days 365
This command takes in the certificate request, all the CA information and creates a new certificate. You will be promted for the CA's private key's password to use when signing the new certificate.
| x509 | => | Using the Certificate display and signing utility to create a certificate. |
| -req | => | We will be working with a certificate request rather than the default (for the x509 command) of working a certificate. |
| -in ksb_cert_req.pem | => | The certificate request. |
| -CA ca_cert.pem | => | The CA's self-signed certificate. |
| -CAKey ca_priv_key.pem | => | The CA's private key to sign with. |
| -CAcreateserial | => | Create the serial file (named after the CA's certificate file (ca.srl in this case) if it doesn't exist). The serial file is needed for unique serial numbers in created certificates. |
| -out ksb_cert.pem | => | The file to write the new certificate to. |
| -days 365 | => | Make this cert good for 365 days. |
$ openssl pkcs12 -export -in ksb_cert.pem -inkey ksb_priv_key.pem -out ksb_cert.p12 -name "ksb certificate"
This command takes the certificate (ksb_cert.pem) and the private key (ksb_priv_key.pem) and creates a PKSC12 file containing the private key, and certificate information. You will be prompted for the passphrase used to encrypt the ksb_cert.pem file and then an export password for the ksb_cert.p12 file.
| pkcs12 | => | Command to read and write PKCS12 files. |
| -export | => | We will be writing a PKSC12 file. |
| -in ksb_cert.pem | => | The certificate file to put in the PKCS12 file. |
| -inkey ksb_priv_key.pem | => | The private key to put in the PKCS12 file. |
| -out ksb_cert.p12 | => | The file to write the PKCS12 certificate to. |
| -name "ksb certificate" | => | The name (or alias, or friendlyName) to associate to with this certificate and private key in the PKCS1 file. |
To view the contents of a PKCS12 file use the following command:
$ openssl pkcs12 -info -in ksb_cert.p12
This will prompt you for an import password (which was the export password given when the .p12 file was created), it will also prompt you for an export password, but you can just ^D and abort the generation of the PEM output.
Honestly, I'm confused here as to how to create a certificate that has just your cert (and possibly the chain of signing CAs) and not your private key. This looks like something that can't be done (with the openssl command line tool) so perhaps I'm misunderstanding something by wanting to do it. But this is exactly the information the .pem file has even though the .p12 file seems to always have your private key in it. This doesn't seem like something you'd distribute, even though the private key is encrypted.
At this point you can repeat steps 2, 3 and 4 to request and create new certificates.