123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 |
- ***** Create a self signed cert ************
- 1) openssl genrsa 1024 > client-key.pem
- 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem
- 3) note md5 would be -md5
- -- adding metadata to beginning
- 3) openssl x509 -in client-cert.pem -text > tmp.pem
- 4) mv tmp.pem client-cert.pem
- ***** Create a CA, signing authority **********
- same as self signed, use ca prefix instead of client
- ***** Create a cert signed by CA **************
- 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
- * note if using existing key do: -new -key keyName
- 2) copy ca-key.pem ca-cert.srl (why ????)
- 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
- ***** Adding Subject Key ID and Authentication Key ID extensions to a cert *****
- Create a config file for OpenSSL with the example contents:
- [skidakid]
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid
- Add to the openssl command for creating a cert signed by a CA step 3 the
- following options:
- -extfile <file.cnf> -extensions skidakid
- anywhere before the redirect. This will add the cert's public key hash as the
- Subject Key Identifier, and the signer's SKID as the Authentication Key ID.
- ***** To create a dsa cert ********************
- 1) openssl dsaparam 512 > dsa512.param # creates group params
- 2) openssl gendsa dsa512.param > dsa512.pem # creates private key
- 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem
- ***** To convert from PEM to DER **************
- a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
- to convert rsa private PEM to DER :
- b) openssl rsa -in key.pem -outform DER -out key.der
- **** To encrypt rsa key already in pem **********
- a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem
- note location of des, pass = yassl123
- *** To make a public key from a private key ******
- openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub
- **** To convert to pkcs8 *******
- openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem
- **** To convert to pkcs8 encrypted *******
- openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem
- passwd: yassl123
- to use PKCS#5 v2 instead of v1.5 which is default add
- -v2 des3 # file Pkcs8Enc2
- to use PKCS#12 instead use -v1 which a 12 algo like
- -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info
- -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default
- **** To convert from pkcs8 to traditional ****
- openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem
- *** DH parameters ***
- openssl dhparam 2048 > dh2048.param
- to add metadata
- openssl dhparam -in dh2048.param -text > dh2048.pem
- **** ECC ******
- 1) make a key
- to see types available do
- openssl ecparam -list_curves
- make a new key
- openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem
- convert to compressed
- openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem
- *** CRL ***
- 1) create a crl
- a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
- Error No ./CA root/index.txt so:
- b) touch ./CA root/index.txt
- a) again
- Error No ./CA root/crlnumber so:
- c) touch ./CA root/crlnumber
- a) again
- Error unable to load CRL number
- d) add '01' to crlnumber file
- a) again
- 2) view crl file
- openssl crl -in crl.pem -text
- 3) revoke
- openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
- Then regenerate crl with a)
- 4) verify
- openssl verify -CAfile ./ca-cert.pem ./server-cert.pem
- OK
- Make file with both ca and crl
- cat ca-cert.pem crl.pem > ca-crl.pem
- openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem
- revoked
|