Differences

This shows you the differences between two versions of the page.

--- ssl_certificate_generation [2013/04/23 15:51] – paulsmith
+++ ssl_certificate_generation [2018/10/29 11:44] (current) – [Sign a req certificate] paulsmith
@@ Line 1: / Line 1: @@
+====== SSL Certificate Generation ======
+  * http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
+  * http://www.akadia.com/services/ssh_test_certificate.html
+  * http://shib.kuleuven.be/docs/ssl_commands.shtml
+  * http://www.ehow.com/how_4719978_ssl-certificate-request-openssl-linux.html
+===== Create a CA =====
+<code>
+openssl genrsa -out ca.key 4096
+openssl req -new -key ca.key -out ca.csr -config ca_openssl.cnf
+openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
+openssl x509 -in ca.crt -outform der -out cacert.der
+openssl x509 -in ca.crt -outform PEM -out cacert.pem
+</code>
+===== Create a SSL cert signed by a CA used by  courier-imap, postfix =====
+test.cnf:
+<code>
+[ req ]
+serial = 001
+expiration_days = 3650
+default_bits = 4096
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+[ req_dn ]
+C=AU
+ST=STATE
+L=CITY
+O=xyz
+CN=mail.xyz.com
+emailAddress=postmaster@xyz.com
+[ cert_type ]
+nsCertType = server
+</code>
+generate cert:
+<code>
+openssl req -nodes -newkey rsa:4096 -config test.cnf -days 3650 -keyout test.key -out test.csr
+openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile test.cnf -extensions cert_type -outform PEM -out test.crt -days 3650
+cat test.key test.crt > test.pem
+openssl gendh 1024 >> test.pem
+</code>
+===== Create and Sign domain certificate =====
+<code>
+openssl req -newkey rsa:4096 -days 3000 -keyout new2.key -out new2.csr -config sign_openssl.cnf
+openssl ca -in new2.csr -days 3000 -notext -out new2.pem -keyfile ca.key -cert ca.crt -config sign_openssl.cnf
+openssl rsa -in new2.key -out new2a.key
+cat new2a.key new2.pem > squid.pem
+openssl x509 -text -noout -in squid.pem
+if sign_openssl.cnf had all the information configured then this would create without input:
+openssl req -newkey rsa:4096 -days 3000 -keyout new4.key -outform PEM -out new4.csr -config sign_openssl.cnf -nodes -batch
+openssl x509 -req -in new4.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform PEM -out new4.pem -days 3000
+cat new4.key new4.pem > new4_squid.pem
+openssl req -newkey rsa:2048 -keyout wildkey.pem -keyform PEM -out wildreq.pem -outform PEM -config wild_openssl.cnf -nodes
+openssl ca -startdate 100921010000Z -in wildreq.pem -notext -out wildcert.pem -keyfile ca.key -cert ca.crt -config wild_openssl.cnf
+cat wildkey.pem wildcert.pem > wildsquid.pem
+-- make a der cert
+openssl x509 -outform der -in wildcert.pem -out wildcert.der
+openssl req -newkey rsa:2048 -keyout XYZkey.pem -keyform PEM -out XYZreq.pem -outform PEM -config XYZ_openssl.cnf -nodes
+openssl ca -startdate 100921010000Z -in XYZreq.pem -notext -out XYZcert.pem -keyfile ca.key -cert ca.crt  -config XYZ_openssl.cnf
+openssl pkcs12 -export -clcerts -in XYZcert.pem -inkey XYZkey.pem -out XYZkey.p12 -name "P3"
+</code>
+===== Create a CA certificate =====
+<code>
+openssl genrsa -out ca.key 1024
+openssl req -new -key ca.key -out ca.csr
+openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
+</code>
+<code>
+Make the der file for clients to install into there root certificate stores
+openssl x509 -in cacert.pem -outform der -out cacert.der
+</code>
+===== Sign a req certificate =====
+openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
+openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout dc01.pem -out dc01.csr
+file: v3.ext
+<code>
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+</code>
+openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000 -extfile v3.ext
+<code>
+openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000
+Country Name (2 letter code) [AU]:
+State or Province Name (full name) [Some-State]:
+Locality Name (eg, city) []:
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+Organizational Unit Name (eg, section) []:
+Common Name (eg, YOUR name) []:
+Email Address []:
+</code>
+===== notes =====
+<code>
+openssl req -new -newkey rsa:1024 -days 3560 -CA ca.crt -nodes -x509 -keyout dc01.pem -out dc01.pem
+</code>
+===== Generate rsa.js and c# cert sharing =====
+<code>
+openssl genrsa -out cdt.pem 1024
+openssl rsa -in cdt.pem -out cdt.public.der -outform DER -pubout -text
+vi cdt.public.der
+  var p = "10001"        <= publicExponent
+  var d = ""             <= privateExponent
+  var m = ""             <= modulus
+  var md = 130
+  setMaxDigits(md);
+  var key = new RSAKeyPair(p,d,m);
+  //encrpyt
+  var ciphertext = encryptedString(key, message);
+  //decode
+  var decrpyttext = decryptedString(key, ciphertext);
+</code>
+===== Check files =====
+<code>
+openssl req -noout -text -in mycsr.csr
+openssl x509  -noout -text -in mycert.crt
+openssl pkcs12 -clcerts -nodes -passin pass:"SomePassword" -in mycert.p12 | openssl x509 -noout -text
+</code>
+===== Verify private key matched public key =====
+<code>
+The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:
+$ openssl x509 -noout -text -in server.crt
+$ openssl rsa -noout -text -in server.key
+The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach:
+$ openssl x509 -noout -modulus -in server.crt | openssl md5
+$ openssl rsa -noout -modulus -in server.key | openssl md5
+And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner:
+$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
+  openssl rsa -noout -modulus -in server.key | openssl md5
+And with auto-magic comparison (If more than one hash is displayed, they don't match):
+$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
+   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq
+BTW, if I want to check to which key or certificate a particular CSR belongs you can compute
+$ openssl req -noout -modulus -in server.csr | openssl md5
+</code>
+===== PFX extract key, cer and crt chain =====
+<code>
+openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nocerts -nodes -out wildcard.somedomain.com.au.key
+openssl pkcs12 -in wildcard.somedomain.com.au.pfx -clcerts -nokeys -out wildcard.somedomain.com.au.cer
+openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nodes -nokeys -cacerts -out wildcard.somedomain.com.au-ca.crt
+apache vhost conf:
+        SSLEngine on
+        SSLCertificateFile /etc/apache2/ssl/wildcard.somedomain.com.au.cer
+        SSLCertificateChainFile /etc/apache2/ssl/wildcard.somedomain.com.au-ca.crt
+        SSLCertificateKeyFile /etc/apache2/ssl/wildcard.somedomain.com.au.key
+        SSLProtocol ALL -SSLv2 -SSLv3
+        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+        SSLHonorCipherOrder On
+</code>