====== SSL Certificate Generation ======
* http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
* http://www.akadia.com/services/ssh_test_certificate.html
* http://shib.kuleuven.be/docs/ssl_commands.shtml
* http://www.ehow.com/how_4719978_ssl-certificate-request-openssl-linux.html
===== Create a CA =====
openssl genrsa -out ca.key 4096
openssl req -new -key ca.key -out ca.csr -config ca_openssl.cnf
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
openssl x509 -in ca.crt -outform der -out cacert.der
openssl x509 -in ca.crt -outform PEM -out cacert.pem
===== Create a SSL cert signed by a CA used by courier-imap, postfix =====
test.cnf:
[ req ]
serial = 001
expiration_days = 3650
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
C=AU
ST=STATE
L=CITY
O=xyz
CN=mail.xyz.com
emailAddress=postmaster@xyz.com
[ cert_type ]
nsCertType = server
generate cert:
openssl req -nodes -newkey rsa:4096 -config test.cnf -days 3650 -keyout test.key -out test.csr
openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile test.cnf -extensions cert_type -outform PEM -out test.crt -days 3650
cat test.key test.crt > test.pem
openssl gendh 1024 >> test.pem
===== Create and Sign domain certificate =====
openssl req -newkey rsa:4096 -days 3000 -keyout new2.key -out new2.csr -config sign_openssl.cnf
openssl ca -in new2.csr -days 3000 -notext -out new2.pem -keyfile ca.key -cert ca.crt -config sign_openssl.cnf
openssl rsa -in new2.key -out new2a.key
cat new2a.key new2.pem > squid.pem
openssl x509 -text -noout -in squid.pem
if sign_openssl.cnf had all the information configured then this would create without input:
openssl req -newkey rsa:4096 -days 3000 -keyout new4.key -outform PEM -out new4.csr -config sign_openssl.cnf -nodes -batch
openssl x509 -req -in new4.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform PEM -out new4.pem -days 3000
cat new4.key new4.pem > new4_squid.pem
openssl req -newkey rsa:2048 -keyout wildkey.pem -keyform PEM -out wildreq.pem -outform PEM -config wild_openssl.cnf -nodes
openssl ca -startdate 100921010000Z -in wildreq.pem -notext -out wildcert.pem -keyfile ca.key -cert ca.crt -config wild_openssl.cnf
cat wildkey.pem wildcert.pem > wildsquid.pem
-- make a der cert
openssl x509 -outform der -in wildcert.pem -out wildcert.der
openssl req -newkey rsa:2048 -keyout XYZkey.pem -keyform PEM -out XYZreq.pem -outform PEM -config XYZ_openssl.cnf -nodes
openssl ca -startdate 100921010000Z -in XYZreq.pem -notext -out XYZcert.pem -keyfile ca.key -cert ca.crt -config XYZ_openssl.cnf
openssl pkcs12 -export -clcerts -in XYZcert.pem -inkey XYZkey.pem -out XYZkey.p12 -name "P3"
===== Create a CA certificate =====
openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Make the der file for clients to install into there root certificate stores
openssl x509 -in cacert.pem -outform der -out cacert.der
===== Sign a req certificate =====
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout dc01.pem -out dc01.csr
file: v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000 -extfile v3.ext
openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
===== notes =====
openssl req -new -newkey rsa:1024 -days 3560 -CA ca.crt -nodes -x509 -keyout dc01.pem -out dc01.pem
===== Generate rsa.js and c# cert sharing =====
openssl genrsa -out cdt.pem 1024
openssl rsa -in cdt.pem -out cdt.public.der -outform DER -pubout -text
vi cdt.public.der
var p = "10001" <= publicExponent
var d = "" <= privateExponent
var m = "" <= modulus
var md = 130
setMaxDigits(md);
var key = new RSAKeyPair(p,d,m);
//encrpyt
var ciphertext = encryptedString(key, message);
//decode
var decrpyttext = decryptedString(key, ciphertext);
===== Check files =====
openssl req -noout -text -in mycsr.csr
openssl x509 -noout -text -in mycert.crt
openssl pkcs12 -clcerts -nodes -passin pass:"SomePassword" -in mycert.p12 | openssl x509 -noout -text
===== Verify private key matched public key =====
The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner:
$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5
And with auto-magic comparison (If more than one hash is displayed, they don't match):
$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq
BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
$ openssl req -noout -modulus -in server.csr | openssl md5
===== PFX extract key, cer and crt chain =====
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nocerts -nodes -out wildcard.somedomain.com.au.key
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -clcerts -nokeys -out wildcard.somedomain.com.au.cer
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nodes -nokeys -cacerts -out wildcard.somedomain.com.au-ca.crt
apache vhost conf:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.somedomain.com.au.cer
SSLCertificateChainFile /etc/apache2/ssl/wildcard.somedomain.com.au-ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.somedomain.com.au.key
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
SSLHonorCipherOrder On