Tuesday, September 14, 2010

Open SSL


openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto
o  Creation and management of private keys, public keys and parameters
 o  Public key cryptographic operations
 o  Creation of X.509 certificates, CSRs and CRLs
 o  Calculation of Message Digests
 o  Encryption and Decryption with Ciphers
 o  SSL/TLS Client and Server Tests
 o  Handling of S/MIME signed or encrypted mail
 o  Time Stamp requests, generation and verification






[root@localhost ~]# find / -name "openssl"
/usr/lib/openssl
/usr/bin/openssl
[root@localhost ~]# set PATH=%PATH%:/usr/bin/openssl 
[root@localhost ~]# openssl
1) Generate a private key:
openssl genrsa -des3 -out private.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
..........................+++
e is 65537 (0x10001)
It will prompt for passprhrase which has to be kept secretly, Enter the password
Enter pass phrase for private1.pem:xxxx
Verifying - Enter pass phrase for private1.pem:xxxx
We are generated a private key with passphrase xxxx
2) Generate a Certificate Signing Request: We need to generate CSR with the private key, if you give you a wrong passphrase it will through an error 
unable to load Private Key
10107:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
10107:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
error in req
openssl req -new -key private.pem -out cert.csr 
Enter pass phrase for private1.pem:xxxx
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:India
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:karnataka
Locality Name (eg, city) [Newbury]:CVRaman Nagar
Organization Name (eg, company) [My Company Ltd]:Moto IT.
Organizational Unit Name (eg, section) []:Moto Inc.
Common Name (eg, your name or your server's hostname) []:*.kanthismiracles.com
Email Address []:kanthi415@gmail.com

 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3) when you see the list you have cert.csr private.pem
we can send it to the vendor ie CA, they will provide the crts with intermediate root and CA
we can see the entire request what we have done.
req -noout -text -in cert.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=IN, ST=karnataka, L=CVRaman Nagar, O=Moto IT., OU=Moto Inc., CN=*.kanthismiracles.com/emailAddress=kanthi415@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ac:5e:c3:4d:c7:d3:5f:27:3e:88:fa:9c:4c:d2:
                    25:6d:54:fd:a8:c3:17:80:cd:dd:5d:76:96:45:7d:
                    d1:81:04:78:bd:f0:a5:9b:a9:63:66:08:3f:47:1e:
                    ff:0c:66:a5:63:ac:64:54:a1:0b:59:1e:95:5a:2e:
                    f6:8f:f5:8d:76:70:4e:b8:f1:0d:92:a2:4a:7e:ef:
                    19:71:fc:3a:51:cf:01:82:93:a4:cd:ae:99:94:b3:
                    c3:ff:d8:73:27:5b:0f:f9:3e:ba:a1:0d:a8:e7:33:
                    64:5b:44:55:17:ed:67:c0:07:9e:7c:ce:54:c1:65:
                    99:9d:21:9c:eb:eb:9e:9b:16:6a:71:5a:c2:5c:cf:
                    bf:d7:e5:d4:be:96:3e:ad:0d:96:28:52:b2:78:ef:
                    c2:50:3a:2d:af:1d:37:18:18:51:95:1c:38:be:d9:
                    7d:8b:11:cd:b2:83:c1:bd:28:9d:73:a0:10:da:a6:
                    67:59:ac:8c:b6:57:a5:80:89:a6:29:c4:67:7b:77:
                    ce:74:6f:56:f2:42:7f:02:d2:df:f7:a3:a4:32:d4:
                    8f:8c:c4:b4:ae:d3:fb:1c:f5:b2:f6:aa:65:30:31:
                    2c:b0:9b:dd:b4:61:c7:c0:14:62:62:29:4f:0e:31:
                    fc:90:ce:8c:93:f6:a1:f7:a1:ee:0d:12:5b:4a:3a:
                    bf:47
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        a4:54:d3:60:69:92:ec:17:e5:1b:9f:17:34:de:0f:78:f1:0c:
        ff:ca:91:69:27:43:94:e0:93:3d:a9:f2:34:8e:66:4c:ed:38:
        b8:a6:82:e3:ce:3a:4b:87:ea:b3:73:3d:e7:2d:88:1b:00:6a:
        de:97:2c:e9:69:11:84:e8:5e:c1:95:38:c3:6b:9c:4f:90:d8:
        7a:9c:89:e0:b8:03:51:6e:ef:8b:cc:4c:59:43:43:45:ea:00:
        50:7a:a2:a5:91:d1:c1:b0:77:15:69:5b:c8:46:6c:5b:67:02:
        90:b5:d4:17:f3:86:a9:11:80:8f:f4:83:c8:12:9f:71:89:8d:
        0d:d6:82:96:d4:76:b2:aa:a4:52:53:28:2e:87:b0:31:bb:26:
        9d:17:7f:f9:a5:b5:b7:b8:08:fa:b3:ea:11:7b:f9:9e:1d:50:
        c2:0b:35:23:90:b0:9e:4a:14:57:5e:83:13:db:ca:05:39:62:
        fe:c3:0c:d8:c9:70:16:30:ec:c9:0b:46:d0:51:a4:c1:2f:52:
        32:da:90:9a:b1:52:79:1c:94:4b:1f:f9:3c:cf:d9:e9:ab:db:
        ee:15:95:e0:dc:76:19:cf:ea:70:30:61:5f:22:f6:50:03:e7:
        87:13:06:dd:bb:68:6f:ed:fd:9d:9d:77:3a:52:44:ff:db:2c:
        4b:42:8e:21
This is how we can create the csr and private key using openssl.


Let's discuss detailed about openssl:

The algorithms used in the openssl are DSS1 SHA1 MD5 MD4 MD2
The ciphers used in openssl are RC2_40 RC2_128 RC2_64 DES 3DES the cipher which we have used is 3DES


To print out the private key comp to standard output
openssl rsa -in private.pem -text   (with encoded version)
openssl rsa -in private.pem -text -noout  ( wiithout encoded version in the output)
-pubin
        By default private key is read in, by using this a public key is read instead
-pubout
        By default private key output instead public key.
example
To just output the public part of private key
openssl rsa -in privatekey.pem -pubout publickey.pem



Different formats of certificates:


PEM:The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files

The PEM key format uses the header and footer lines


---Begin RSA private key--
--End RSA private key--


The PEM public key format uses the header and footer lines


--Begin public key--
--End public key--


DER:The DER format is the binary form of certificate insteas of ASCII, it sometimes has file extension as der, but most of times it is in .cer. The difference betwenn der .cer and pem .cer is to open in text editor and see the begin and end statements.


PKCS#7 or P7B Format:
This foramt is usually stored in Base64 ASCII format having file extension of .p7c or p7b


--Begin pkcs7--
--End pkcs7--
This contains certificates and chained certificates not privatekeys.


PKCS#12 or PFX:
This a binary format for storing any server certificat, intermediate certificate and private key in one encryptable file. The general extensions of this format is .p12 .pfx.  while converting a pfx to pem file we need to open in text editor and copy each certificate and private key in sepereate file (including Begin and End) and save them as  certificate.cer CAcert.cer privatekey.pem. 
This is usually used in windows to import and export certificates and private keys.


We can easily convert from one form of certificate to another form of certificates. 




General OpenSSL Commands
These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.


  • Generate a private key:openssl genrsa -des3 -out privkey.pem 2048  
    • 

  • Generate a new private key and Certificate Signing Request Assuming you do not wish a passphrase-encrypted key, enter the following command to generate the private key, and certificate request   openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key  
    • 

  • Generate a self-signed certificate   openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout privateKey.key -out certificate.crt  
    • 

  • Generate a certificate signing request (CSR) for an existing private key If you already have a key you wish to use, then use the following command instead    
    

    openssl req -out CSR.csr -key privateKey.key -new
    • 

  • Generate a certificate signing request based on an existing certificate    
    

    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
    • 

  • Remove a passphrase from a private key    
    

    openssl rsa -in privateKey.pem -out newPrivateKey.pem
    • 

Checking Using OpenSSL
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
  • Check a Certificate Signing Request (CSR)  openssl req -text -noout -verify -in CSR.csr  
    • 

  • Check a private key    
    

    openssl rsa -in privateKey.key -check
    • 

  • Check a certificate    
    

    openssl x509 -in certificate.crt -text -noout
    • 

  • Check a PKCS#12 file (.pfx or .p12)    
    

    openssl pkcs12 -info -in keyStore.p12
    

    Converting Using OpenSSL
    • 

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
  • Convert a DER file (.crt .cer .der) to PEM   openssl x509 -inform der -in certificate.cer -out certificate.pem  
    • 

  • Convert a PEM file to DER    
    

    penssl x509 -outform der -in certificate.pem -out certificate.der
    • 

  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes  
    • 

         You can add -nocerts to only output the private key or add -nokeys to only output the certificate
  




  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)  
    • 

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


Commands used in openssl:
-inform: DER/PEM
     This specifies the input format.The DER format uses ASN1 encoded form compatible with pkcs#1 format. The PEM format is default format, it consists of DER format base64 encoded with header and footer lines.
-outform: DER/PEM
          This specifies the output format same as input format.
examples:
To convert a private key from pem to der
openssl rsa -in private.key -outform DER -out pirvateout.der
-in filename
       This specifies an input filename to read a key from or stand input if option is not specified.
-out filename
       This specifies an output filename to write a key to or stand output 
examples:
To remove a passphrase for a RSA private key
openssl rsa -in in.pem -out out.pem 
-passin arg
       The inputfile password source
-passout password
       The outputfile password source.
-des -des3
       which encrypts the private key with DES, triple DES ciphers respectively before outputting it. For this a password is prompted for, if none of  these is specified a the key is written in plain text that is using rsa ultility with no encryption option is used to remove a pass phrase from the key and for encryption option we can add passphrase to the key, this is only for PEM format.
example:
To encrypt a private key using triple des
openssl rsa -in pirvate.pem -des3 -out pirvateout.pem
-text
         which prints the compnents ie private and public keys in a plain text format in  addition to  the encoded version      
-noout
which prevents the output of encoded version of the key
examples:
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)