| yuezonghe | 824eb0c | 2024-06-27 02:32:26 -0700 | [diff] [blame] | 1 | |
| 2 | ***** Create a self signed cert ************ |
| 3 | |
| 4 | 1) openssl genrsa 1024 > client-key.pem |
| 5 | |
| 6 | 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem |
| 7 | |
| 8 | 3) note md5 would be -md5 |
| 9 | |
| 10 | -- adding metadata to beginning |
| 11 | |
| 12 | 3) openssl x509 -in client-cert.pem -text > tmp.pem |
| 13 | |
| 14 | 4) mv tmp.pem client-cert.pem |
| 15 | |
| 16 | |
| 17 | ***** Create a CA, signing authority ********** |
| 18 | |
| 19 | same as self signed, use ca prefix instead of client |
| 20 | |
| 21 | |
| 22 | ***** Create a cert signed by CA ************** |
| 23 | |
| 24 | 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem |
| 25 | |
| 26 | * note if using existing key do: -new -key keyName |
| 27 | |
| 28 | 2) copy ca-key.pem ca-cert.srl (why ????) |
| 29 | |
| 30 | 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem |
| 31 | |
| 32 | |
| 33 | ***** Adding Subject Key ID and Authentication Key ID extensions to a cert ***** |
| 34 | |
| 35 | Create a config file for OpenSSL with the example contents: |
| 36 | |
| 37 | [skidakid] |
| 38 | subjectKeyIdentifier=hash |
| 39 | authorityKeyIdentifier=keyid |
| 40 | |
| 41 | Add to the openssl command for creating a cert signed by a CA step 3 the |
| 42 | following options: |
| 43 | |
| 44 | -extfile <file.cnf> -extensions skidakid |
| 45 | |
| 46 | anywhere before the redirect. This will add the cert's public key hash as the |
| 47 | Subject Key Identifier, and the signer's SKID as the Authentication Key ID. |
| 48 | |
| 49 | |
| 50 | ***** To create a dsa cert ******************** |
| 51 | |
| 52 | 1) openssl dsaparam 512 > dsa512.param # creates group params |
| 53 | |
| 54 | 2) openssl gendsa dsa512.param > dsa512.pem # creates private key |
| 55 | |
| 56 | 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem |
| 57 | |
| 58 | |
| 59 | |
| 60 | |
| 61 | ***** To convert from PEM to DER ************** |
| 62 | |
| 63 | a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER |
| 64 | |
| 65 | to convert rsa private PEM to DER : |
| 66 | |
| 67 | b) openssl rsa -in key.pem -outform DER -out key.der |
| 68 | |
| 69 | |
| 70 | **** To encrypt rsa key already in pem ********** |
| 71 | |
| 72 | a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem |
| 73 | |
| 74 | note location of des, pass = yassl123 |
| 75 | |
| 76 | |
| 77 | *** To make a public key from a private key ****** |
| 78 | |
| 79 | |
| 80 | openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub |
| 81 | |
| 82 | |
| 83 | **** To convert to pkcs8 ******* |
| 84 | |
| 85 | openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem |
| 86 | |
| 87 | |
| 88 | **** To convert to pkcs8 encrypted ******* |
| 89 | |
| 90 | openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem |
| 91 | |
| 92 | passwd: yassl123 |
| 93 | |
| 94 | to use PKCS#5 v2 instead of v1.5 which is default add |
| 95 | |
| 96 | -v2 des3 # file Pkcs8Enc2 |
| 97 | |
| 98 | to use PKCS#12 instead use -v1 witch a 12 algo like |
| 99 | |
| 100 | -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info |
| 101 | -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default |
| 102 | |
| 103 | |
| 104 | **** To convert from pkcs8 to traditional **** |
| 105 | |
| 106 | openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem |
| 107 | |
| 108 | |
| 109 | *** DH parameters *** |
| 110 | |
| 111 | openssl dhparam 2048 > dh2048.param |
| 112 | |
| 113 | to add metadata |
| 114 | |
| 115 | openssl dhparam -in dh2048.param -text > dh2048.pem |
| 116 | |
| 117 | **** ECC ****** |
| 118 | |
| 119 | 1) make a key |
| 120 | |
| 121 | to see types available do |
| 122 | openssl ecparam -list_curves |
| 123 | |
| 124 | make a new key |
| 125 | openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem |
| 126 | |
| 127 | convert to compressed |
| 128 | openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem |
| 129 | |
| 130 | *** CRL *** |
| 131 | |
| 132 | 1) create a crl |
| 133 | |
| 134 | a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem |
| 135 | |
| 136 | Error No ./CA root/index.txt so: |
| 137 | |
| 138 | b) touch ./CA root/index.txt |
| 139 | |
| 140 | a) again |
| 141 | |
| 142 | Error No ./CA root/crlnumber so: |
| 143 | |
| 144 | c) touch ./CA root/crlnumber |
| 145 | |
| 146 | a) again |
| 147 | |
| 148 | Error unable to load CRL number |
| 149 | |
| 150 | d) add '01' to crlnumber file |
| 151 | |
| 152 | a) again |
| 153 | |
| 154 | 2) view crl file |
| 155 | |
| 156 | openssl crl -in crl.pem -text |
| 157 | |
| 158 | 3) revoke |
| 159 | |
| 160 | openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem |
| 161 | |
| 162 | Then regenerate crl with a) |
| 163 | |
| 164 | 4) verify |
| 165 | |
| 166 | openssl verify -CAfile ./ca-cert.pem ./server-cert.pem |
| 167 | |
| 168 | OK |
| 169 | |
| 170 | Make file with both ca and crl |
| 171 | |
| 172 | cat ca-cert.pem crl.pem > ca-crl.pem |
| 173 | |
| 174 | openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem |
| 175 | |
| 176 | revoked |