Practical SSL/TSL and Cryptography technical Part II
Generating CSR and self signed Certificates. Inspecting and extracting Certificates and CSR, Convert Files between PEM and PFX formatted files.
Generating CSR and self signed Certificates ———————————————————————-------------------- We can generate a CSR from Exisiting Key (Public and Private key (both keys combined in one)). Command for it openssl req -new -key RSA-KEY1.pem -out RSA-KEY1-CSR.pem We need to provide the CN, State name , Locality, Common Name* and or challenge password(optional) This generated CSR can be viewed openssl req -in RSA-KEY1-CSR.pem -noout -text This will show csr information and the value of Subject will consist of C ,ST, L, CN, emailAddress matching with what was provided during SCR Creation step. Now that CSR is created, then we need to Create a Self Signed Certificate. Note we cannot create a Signed Certificate unless we are Certificate Authority, we can create but it is out of scope of this notes. openssl req -x509 -key RSA-KEY1.pem -out RSA-KEY1-CERT.pem We can view the content of the self signed certificate using below command openssl x509 -in RSA-KEY1-CERT.pem -noout -text Note, the Issuer information and Subject information will be same in self signed certificate. While creating self signed certificate we can either enter value for Subject in multiple steps via prompts on command line OR we can specify in 1 step using -subj "/CN=website.com" So command will become openssl req -x509 -key RSA-KEY1.pem -out RSA-KEY1-CERT.pem -subj "/CN=website.com" If we see Signature Algorithm of self signed cert then it will be signed with lets say sha256 hashing algorithm using RSA Keys, however we can specify different hashing algorithm from command line itself by adding it right at the end. openssl req -x509 -key RSA-KEY1.pem -out RSA-KEY1-CERT.pem -subj "/CN=website.com" -md5 Above will using md5 hashing algorithm which is not safe now a days. openssl req -x509 -key RSA-KEY1.pem -out RSA-KEY1-CERT.pem -subj "/CN=website.com" -sha512 We can also use -config option in the command to specify some default values like validity of certificate or extensions used. Openssl version -d Ls the folder where ssl is there to see the config file, make a backup copy of it and then update default values as per your certificate need. Now We will Generate CSR and Certificate along with a new Key(not a re existing one). Now we will generate a new CSR without specifying a new key Openssl req -new -out CSR.pem -sub “/CN=site.com” This will generate CSR.pem and privkey.pem Since “-new” key’s argument is not specified in above command we, the utility will also create private key using default configuration specified in the open ssl config file. By default the key is created using DES encryption algorithm, if we do not want it use DES then here is the command (at end add -nodes) Openssl req -new -out CSR.pem -sub”/CN=SKP.com” -nodes Lets examine content of private key privacy.pem using pkey utility Openssl pkey -in privacy.pem -noout -text If we want to write key to a Specific file name of our choice then run below command. Openssl req -new -out CSR.pem -sub”/CN=SKP.com” -nodes -keyout RSA-key2.pem Lets Explore -newkey Command to create a Certificate (self signed) Openssl req -x509 -out CERT.pem -sub “/CN=skp.com” -nodes -newkey 777 // this is Legacy way This generate private key, and cert.pem Openssl x509 -in CERT.pem -noout -text Latest way of creating certificate along wit a new key is Openssl req -x509 -out CERT.pem -sub “/CN=skp.com” -nodes -newkey rsa:2048 Same command for DSA Algorithm Openssl req -x509 -out CERT.pem -sub “/CN=skp.com” -nodes -newkey dsa:DSA-PARAM.pem Inspecting Certificates and CSR ———---------------------------- Extracting specific information from CSR and Certificates. openssl x509 -in wikipedia.cert -noout -text openssl x509 -in wikipedia.cert -noout -dates openssl x509 -in wikipedia.cert -noout -subject openssl x509 -in wikipedia.cer openssl x509 -in wikipedia.cert -noout -subject -issuer -dates openssl pkey -pubin -noout -text File Formats and Concertions (pem, der, pfx) How to check if a File is in which format To check if a file(cert) is in PEM format Openssl x509 -in fileA.crt To check if a file is in DER format Openssl x509 -in fileA.crt -inform DER If file is not in DER format then it will error out Anytime we want to test a key file (I.e. a public and or private key) we should use pkey utility instead of x509 Openssl pkey -in fileA.key If a file is in DER file format instead of PEM then use -inform DER Openssl pkey -in fileB.key -inform DER For PFX Files, run below command to check and confirm if it is a PFX file formatted certificate file Note we have to use pkcs12 utility instead of x509 for certificate Openssl pkcs12 -in fileC.crt -nodes Now lets test a PFX key file Openssl pkcs12 -in fileC.key -nodes Note PFX files are container Files which contains different things It can contain a Series of certificates called as certificate chain Or It can store certificate a marching private key How to Convert Files between PEM and DER formatted files ** Not going to check this ** How to Convert Files between PEM and PFX formatted files Lets Covert pem to pfx file Openssl pkcs12 in fileA.crt.pem -nokeys -export -out fileA.crt.pfx Above command will create a pfx formatter certificate file from pem format. Openssl pkcs12 in fileA.crt.pem —inked fileA.key.pem -export -out fileA.crtkey.pfx Above command will convert pem (key and certificate both ) into pfx file. Note pfx file cannot contains only a private key, it must has a private key then it must also have its matching certificate Lets Convert pfx file into pem file. Openssl pkcs12 -in fileC.crt.pfx -out fileC.crt.pem -nodes If -out option is not used then pem formatted file content will be displayed on console Openssl pkcs12 -in fileC.crtkey.pfx -nodes This will print (as -out is not specified) both Certificate and Private key. Note: “-nodes”. When given as an argument, it means OpenSSL will not encrypt the private key in a PKCS#12 file. Openssl pkcs12 -in COLORS.pfx -nodes | grep BEGIN Openssl pkcs12 -in COLORS.pfx -nodes | grep -e subject -e KEY. // here grep is doing OR based grep Openssl pkcs12 -in COLORS.pfx -nodes -nocerts | grep BEGIN Above will display only private Key Openssl pkcs12 -in COLORS.pfx -nodes -nocerts | grep -e subject -e KEY Openssl pkcs12 -in COLORS.pfx -nodes -clcerts | grep -e subject -e KEY Above will only create (here prints since out option is not mentioned) 1 Private key and matching certificate for that Private key Openssl pkcs12 -in COLORS.pfx -nodes -cacerts | grep -e subject -e KEY Above will print private key and all Certificate except matching certificate to private key. Openssl pkcs12 -in COLORS.pfx -nodes -cacerts -nokeys | grep -e subject -e KEY Above will print(extract) only all Certificate except matching certificate to private key. hope this summary helps.