SSL Certificate Generation

Create a CA

openssl genrsa -out ca.key 4096
openssl req -new -key ca.key -out ca.csr -config ca_openssl.cnf
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
openssl x509 -in ca.crt -outform der -out cacert.der
openssl x509 -in ca.crt -outform PEM -out cacert.pem

Create a SSL cert signed by a CA used by courier-imap, postfix

test.cnf:

[ req ] 
serial = 001
expiration_days = 3650
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=AU
ST=STATE
L=CITY
O=xyz
CN=mail.xyz.com
emailAddress=postmaster@xyz.com

[ cert_type ]
nsCertType = server

generate cert:

openssl req -nodes -newkey rsa:4096 -config test.cnf -days 3650 -keyout test.key -out test.csr
openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile test.cnf -extensions cert_type -outform PEM -out test.crt -days 3650
cat test.key test.crt > test.pem
openssl gendh 1024 >> test.pem

Create and Sign domain certificate

openssl req -newkey rsa:4096 -days 3000 -keyout new2.key -out new2.csr -config sign_openssl.cnf
openssl ca -in new2.csr -days 3000 -notext -out new2.pem -keyfile ca.key -cert ca.crt -config sign_openssl.cnf
openssl rsa -in new2.key -out new2a.key
cat new2a.key new2.pem > squid.pem


openssl x509 -text -noout -in squid.pem


if sign_openssl.cnf had all the information configured then this would create without input:
openssl req -newkey rsa:4096 -days 3000 -keyout new4.key -outform PEM -out new4.csr -config sign_openssl.cnf -nodes -batch
openssl x509 -req -in new4.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform PEM -out new4.pem -days 3000
cat new4.key new4.pem > new4_squid.pem



openssl req -newkey rsa:2048 -keyout wildkey.pem -keyform PEM -out wildreq.pem -outform PEM -config wild_openssl.cnf -nodes
openssl ca -startdate 100921010000Z -in wildreq.pem -notext -out wildcert.pem -keyfile ca.key -cert ca.crt -config wild_openssl.cnf
cat wildkey.pem wildcert.pem > wildsquid.pem
-- make a der cert
openssl x509 -outform der -in wildcert.pem -out wildcert.der


openssl req -newkey rsa:2048 -keyout XYZkey.pem -keyform PEM -out XYZreq.pem -outform PEM -config XYZ_openssl.cnf -nodes
openssl ca -startdate 100921010000Z -in XYZreq.pem -notext -out XYZcert.pem -keyfile ca.key -cert ca.crt  -config XYZ_openssl.cnf
openssl pkcs12 -export -clcerts -in XYZcert.pem -inkey XYZkey.pem -out XYZkey.p12 -name "P3"

Create a CA certificate

openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Make the der file for clients to install into there root certificate stores
openssl x509 -in cacert.pem -outform der -out cacert.der

Sign a req certificate

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem

openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout dc01.pem -out dc01.csr

file: v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000 -extfile v3.ext

openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

notes

openssl req -new -newkey rsa:1024 -days 3560 -CA ca.crt -nodes -x509 -keyout dc01.pem -out dc01.pem

Generate rsa.js and c# cert sharing

openssl genrsa -out cdt.pem 1024
openssl rsa -in cdt.pem -out cdt.public.der -outform DER -pubout -text
vi cdt.public.der

  var p = "10001"        <= publicExponent      
  var d = ""             <= privateExponent
  var m = ""             <= modulus
  var md = 130                    
  setMaxDigits(md);               
  var key = new RSAKeyPair(p,d,m);

  //encrpyt
  var ciphertext = encryptedString(key, message);
  //decode
  var decrpyttext = decryptedString(key, ciphertext); 



Check files

openssl req -noout -text -in mycsr.csr
openssl x509  -noout -text -in mycert.crt
openssl pkcs12 -clcerts -nodes -passin pass:"SomePassword" -in mycert.p12 | openssl x509 -noout -text

Verify private key matched public key

The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner:

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
  openssl rsa -noout -modulus -in server.key | openssl md5
And with auto-magic comparison (If more than one hash is displayed, they don't match):

$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq
BTW, if I want to check to which key or certificate a particular CSR belongs you can compute

$ openssl req -noout -modulus -in server.csr | openssl md5

PFX extract key, cer and crt chain

openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nocerts -nodes -out wildcard.somedomain.com.au.key
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -clcerts -nokeys -out wildcard.somedomain.com.au.cer
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nodes -nokeys -cacerts -out wildcard.somedomain.com.au-ca.crt


apache vhost conf:
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/wildcard.somedomain.com.au.cer
        SSLCertificateChainFile /etc/apache2/ssl/wildcard.somedomain.com.au-ca.crt
        SSLCertificateKeyFile /etc/apache2/ssl/wildcard.somedomain.com.au.key
        SSLProtocol ALL -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
        SSLHonorCipherOrder On

ssl_certificate_generation.txt · Last modified: 2018/10/29 11:44 by paulsmith
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki