| |
| ***** Create a self signed cert ************ |
| |
| 1) openssl genrsa 1024 > client-key.pem |
| |
| 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem |
| |
| 3) note md5 would be -md5 |
| |
| -- adding metadata to beginning |
| |
| 3) openssl x509 -in client-cert.pem -text > tmp.pem |
| |
| 4) mv tmp.pem client-cert.pem |
| |
| |
| ***** Create a CA, signing authority ********** |
| |
| same as self signed, use ca prefix instead of client |
| |
| |
| ***** Create a cert signed by CA ************** |
| |
| 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem |
| |
| * note if using exisitng key do: -new -key keyName |
| |
| 2) copy ca-key.pem ca-cert.srl (why ????) |
| |
| 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem |
| |
| |
| ***** Adding Subject Key ID and Authentication Key ID extensions to a cert ***** |
| |
| Create a config file for OpenSSL with the example contents: |
| |
| [skidakid] |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid |
| |
| Add to the openssl command for creating a cert signed by a CA step 3 the |
| following options: |
| |
| -extfile <file.cnf> -extensions skidakid |
| |
| anywhere before the redirect. This will add the cert's public key hash as the |
| Subject Key Identifier, and the signer's SKID as the Authentication Key ID. |
| |
| |
| ***** To create a dsa cert ******************** |
| |
| 1) openssl dsaparam 512 > dsa512.param # creates group params |
| |
| 2) openssl gendsa dsa512.param > dsa512.pem # creates private key |
| |
| 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem |
| |
| |
| |
| |
| ***** To convert from PEM to DER ************** |
| |
| a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER |
| |
| to convert rsa private PEM to DER : |
| |
| b) openssl rsa -in key.pem -outform DER -out key.der |
| |
| |
| **** To encrypt rsa key already in pem ********** |
| |
| a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem |
| |
| note location of des, pass = yassl123 |
| |
| |
| *** To make a public key from a private key ****** |
| |
| |
| openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub |
| |
| |
| **** To convert to pkcs8 ******* |
| |
| openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem |
| |
| |
| **** To convert to pkcs8 encrypted ******* |
| |
| openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem |
| |
| passwd: yassl123 |
| |
| to use PKCS#5 v2 instead of v1.5 which is default add |
| |
| -v2 des3 # file Pkcs8Enc2 |
| |
| to use PKCS#12 instead use -v1 witch a 12 algo like |
| |
| -v1 PBE-SHA1-RC4-128 # file Pkcs8Enc12 , see man pkcs8 for more info |
| |
| |
| **** To convert from pkcs8 to traditional **** |
| |
| openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem |
| |
| |
| *** DH paramters *** |
| |
| openssl dhparam 2048 > dh2048.param |
| |
| to add metadata |
| |
| openssl dhparam -in dh2048.param -text > dh2048.pem |
| |
| **** ECC ****** |
| |
| 1) make a key |
| |
| to see types available do |
| openssl ecparam -list_curves |
| |
| make a new key |
| openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem |
| |
| |
| *** CRL *** |
| |
| 1) create a crl |
| |
| a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem |
| |
| Error No ./CA root/index.txt so: |
| |
| b) touch ./CA root/index.txt |
| |
| a) again |
| |
| Error No ./CA root/crlnumber so: |
| |
| c) touch ./CA root/crlnumber |
| |
| a) again |
| |
| Error unable to load CRL number |
| |
| d) add '01' to crlnumber file |
| |
| a) again |
| |
| 2) view crl file |
| |
| openssl crl -in crl.pem -text |
| |
| 3) revoke |
| |
| openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem |
| |
| Then regenerate crl with a) |
| |
| 4) verify |
| |
| openssl verify -CAfile ./ca-cert.pem ./server-cert.pem |
| |
| OK |
| |
| Make file with both ca and crl |
| |
| cat ca-cert.pem crl.pem > ca-crl.pem |
| |
| openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem |
| |
| revoked |