taoCert.txt 3.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176
  1. ***** Create a self signed cert ************
  2. 1) openssl genrsa 1024 > client-key.pem
  3. 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem
  4. 3) note md5 would be -md5
  5. -- adding metadata to beginning
  6. 3) openssl x509 -in client-cert.pem -text > tmp.pem
  7. 4) mv tmp.pem client-cert.pem
  8. ***** Create a CA, signing authority **********
  9. same as self signed, use ca prefix instead of client
  10. ***** Create a cert signed by CA **************
  11. 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
  12. * note if using existing key do: -new -key keyName
  13. 2) copy ca-key.pem ca-cert.srl (why ????)
  14. 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
  15. ***** Adding Subject Key ID and Authentication Key ID extensions to a cert *****
  16. Create a config file for OpenSSL with the example contents:
  17. [skidakid]
  18. subjectKeyIdentifier=hash
  19. authorityKeyIdentifier=keyid
  20. Add to the openssl command for creating a cert signed by a CA step 3 the
  21. following options:
  22. -extfile <file.cnf> -extensions skidakid
  23. anywhere before the redirect. This will add the cert's public key hash as the
  24. Subject Key Identifier, and the signer's SKID as the Authentication Key ID.
  25. ***** To create a dsa cert ********************
  26. 1) openssl dsaparam 512 > dsa512.param # creates group params
  27. 2) openssl gendsa dsa512.param > dsa512.pem # creates private key
  28. 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem
  29. ***** To convert from PEM to DER **************
  30. a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
  31. to convert rsa private PEM to DER :
  32. b) openssl rsa -in key.pem -outform DER -out key.der
  33. **** To encrypt rsa key already in pem **********
  34. a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem
  35. note location of des, pass = yassl123
  36. *** To make a public key from a private key ******
  37. openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub
  38. **** To convert to pkcs8 *******
  39. openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem
  40. **** To convert to pkcs8 encrypted *******
  41. openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem
  42. passwd: yassl123
  43. to use PKCS#5 v2 instead of v1.5 which is default add
  44. -v2 des3 # file Pkcs8Enc2
  45. to use PKCS#12 instead use -v1 which a 12 algo like
  46. -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info
  47. -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default
  48. **** To convert from pkcs8 to traditional ****
  49. openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem
  50. *** DH parameters ***
  51. openssl dhparam 2048 > dh2048.param
  52. to add metadata
  53. openssl dhparam -in dh2048.param -text > dh2048.pem
  54. **** ECC ******
  55. 1) make a key
  56. to see types available do
  57. openssl ecparam -list_curves
  58. make a new key
  59. openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem
  60. convert to compressed
  61. openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem
  62. *** CRL ***
  63. 1) create a crl
  64. a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
  65. Error No ./CA root/index.txt so:
  66. b) touch ./CA root/index.txt
  67. a) again
  68. Error No ./CA root/crlnumber so:
  69. c) touch ./CA root/crlnumber
  70. a) again
  71. Error unable to load CRL number
  72. d) add '01' to crlnumber file
  73. a) again
  74. 2) view crl file
  75. openssl crl -in crl.pem -text
  76. 3) revoke
  77. openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
  78. Then regenerate crl with a)
  79. 4) verify
  80. openssl verify -CAfile ./ca-cert.pem ./server-cert.pem
  81. OK
  82. Make file with both ca and crl
  83. cat ca-cert.pem crl.pem > ca-crl.pem
  84. openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem
  85. revoked