2
0

taoCert.txt 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. ***** Create a self signed cert ************
  2. 1) openssl genrsa 1024 > client-key.pem
  3. 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem
  4. 3) note md5 would be -md5
  5. -- adding metadata to beginning
  6. 3) openssl x509 -in client-cert.pem -text > tmp.pem
  7. 4) mv tmp.pem client-cert.pem
  8. ***** Create a CA, signing authority **********
  9. same as self signed, use ca prefix instead of client
  10. ***** Create a cert signed by CA **************
  11. 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
  12. * note if using exisitng key do: -new -key keyName
  13. 2) copy ca-key.pem ca-cert.srl (why ????)
  14. 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
  15. ***** Adding Subject Key ID and Authentication Key ID extensions to a cert *****
  16. Create a config file for OpenSSL with the example contents:
  17. [skidakid]
  18. subjectKeyIdentifier=hash
  19. authorityKeyIdentifier=keyid
  20. Add to the openssl command for creating a cert signed by a CA step 3 the
  21. following options:
  22. -extfile <file.cnf> -extensions skidakid
  23. anywhere before the redirect. This will add the cert's public key hash as the
  24. Subject Key Identifier, and the signer's SKID as the Authentication Key ID.
  25. ***** To create a dsa cert ********************
  26. 1) openssl dsaparam 512 > dsa512.param # creates group params
  27. 2) openssl gendsa dsa512.param > dsa512.pem # creates private key
  28. 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem
  29. ***** To convert from PEM to DER **************
  30. a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
  31. to convert rsa private PEM to DER :
  32. b) openssl rsa -in key.pem -outform DER -out key.der
  33. **** To encrypt rsa key already in pem **********
  34. a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem
  35. note location of des, pass = yassl123
  36. *** To make a public key from a private key ******
  37. openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub
  38. **** To convert to pkcs8 *******
  39. openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem
  40. **** To convert to pkcs8 encrypted *******
  41. openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem
  42. passwd: yassl123
  43. to use PKCS#5 v2 instead of v1.5 which is default add
  44. -v2 des3 # file Pkcs8Enc2
  45. to use PKCS#12 instead use -v1 witch a 12 algo like
  46. -v1 PBE-SHA1-RC4-128 # file Pkcs8Enc12 , see man pkcs8 for more info
  47. **** To convert from pkcs8 to traditional ****
  48. openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem
  49. *** DH paramters ***
  50. openssl dhparam 2048 > dh2048.param
  51. to add metadata
  52. openssl dhparam -in dh2048.param -text > dh2048.pem
  53. **** ECC ******
  54. 1) make a key
  55. to see types available do
  56. openssl ecparam -list_curves
  57. make a new key
  58. openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem
  59. convert to compressed
  60. openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem
  61. *** CRL ***
  62. 1) create a crl
  63. a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
  64. Error No ./CA root/index.txt so:
  65. b) touch ./CA root/index.txt
  66. a) again
  67. Error No ./CA root/crlnumber so:
  68. c) touch ./CA root/crlnumber
  69. a) again
  70. Error unable to load CRL number
  71. d) add '01' to crlnumber file
  72. a) again
  73. 2) view crl file
  74. openssl crl -in crl.pem -text
  75. 3) revoke
  76. openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
  77. Then regenerate crl with a)
  78. 4) verify
  79. openssl verify -CAfile ./ca-cert.pem ./server-cert.pem
  80. OK
  81. Make file with both ca and crl
  82. cat ca-cert.pem crl.pem > ca-crl.pem
  83. openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem
  84. revoked