I've dealt with public/private key and certificate issues since 2000 and have always had to go back to the openssl documentation when I needed to set things up again. The commands just don't seem to stay in my head after I need to use them. In the last two years alone I've had to set up more than 3 certificate issuing/signing systems for labs and then integrate the production systems with real PKI systems.
So, I thought I'd take my notes from these and put them here for future reference. I call it "Notes on Using Openssl"
Formatting notes:
Certificates can come in three formats:
PEM
DER
PKCS12
These have the same underlying structure, but are presented in different ways. PEM is the default openssl format. It starts with this:
-----BEGIN CERTIFICATE-----
and ends with this:
-----END CERTIFICATE-----
In between is a lot of ASCII characters. These are the actual certificate with the public key embedded, private key, or both. If the key is there, you have the option to protect it with a password or not. The stuff in the middle is in BASE64 encoded DER format.
A DER file doesn't have the ASCII headers, but also stores the same things as the PEM, only it is ASN1 DER encoded.
PKCS12 is also known as PFX. It can also contain the same information as the PEM/DER, but it is in a binary format. Browsers use PKCS12 for their certificate/key import/export needs. It will actually encrypt the key part with a password, so the key can be sent over the network to the user without having to build a separate secure channel for transport (a good FAQ on the PKCS12 format is here).
If you want to use a certificate/key for a program, PEM or DER are your formats. If you want to use it in a browser, then PKCS12 is your go-to guy.
Creating your own CA:
Sometimes, particularly for development, one will want to create one's own RootCA. No one else will ever trust your CA, but you can trust yourself and learn how to deal with certificates.
Openssl has a good FAQ on key generation and certificates, but here's mine anyway.
First, you have to create your new root public/private key set. The key can be generated alone:
openssl genrsa -des3 -out key-srv.pem 1024
and if you are hard-core testing and want no security, move the key to non-password-protected file:
openssl rsa -in ca.key -out ca.key.unsecure
openssl req <-config if-using-your-own-conf> -new -x509 -key <path-to-the-key-we-made>.pem -out cacert.pem -days 3650
Now we have a root key and certificate, trusted by no one!
Now we can create CSRs and keys to our heart's content and sign them using our own rootCA. You can either do this with the default information which you then change at the prompt or you can use your own configuration file (that's another story in itself).
openssl req -new -key <you have a new key for this, right?> -out lab.csr
Or you can create both the key and the CSR in one command:openssl req -new -nodes -keyout <path-to-new-key>.key -out lab.csr
Using a custom config:
openssl req -config <path-to>/openssl.cnf -new -out <path-to>.csr
So, now we sign the request:openssl ca (-config <if-custom>) -keyfile <path-to-root-CA-key> -cert <path-to-root-CA>cacert.pem -out <path-to-client-certs-dir>.pem -infiles <path-to-csr-files>.csr
Now, it's easy to just send it as is (browsers can import PEM formats), or you can convert it to DER for use in programs:openssl x509 -in client01.pem -out client01.der -outform DER
PKCS12 has it's own set of commands if you want/need that format (IE documentation seems to prefer it for some reason):
You can either generate a new one:
openssl pkcs12 -export -out cacert.p12 -inkey ./private/cakey.pem -in ./cacert.pem
Occasionally I've had to extract a key and certificate from PKCS12:
openssl pkcs12 -export -out <path-to>.p12 -in <path-to>.pem -inkey <path-to>.key
Finally, if you are ever in doubt you can verify a certificate:
look at it in plain text:
openssl x509 -in <cert-path>.pem -noout -text
Verify that the cert is valid according to your root chain:
openssl verify <-CAfile if verifying against a non-trusted CA>
Leave a comment