- openssl genrsa command generates a pair of private key and public key actually, not only private key.
- how to verify a ssl certificate, nowadays, CA use SHA1withRSAencryption to sign the public key as certificate.
To validate the certificate, one needs the certificate that matches
the Issuer (Thawte Server CA) of the first certificate. First one
verifies that the second certificate is of a CA kind; that is, that it
can be used to issue other certificates. This is done by inspecting a
value of the CA attribute in the X509v3 extension
section. Then the RSA public key from the CA certificate is used to
decode the signature on the first certificate to obtain a MD5 hash,
which must match an actual MD5 hash computed over the rest of the
certificate
- how to verify CA root certificate itself
- how to show SSL connection information from the browser
- Internet Explorer
SSL 3.0, RC4 with 128 bit encryption (High); RSA with 1024 bit exchange
or right click on page blank area, choose properties.
Version 7.0 - firstly, show file menu by choosing tools/menu bar, then use the same method as above.
2. Firefox
right click on the blank area of SSL website homepage, choose 'view page info'. You will see something like this:
Connection encrypted: high-grade encryption, AES-256 256bit
- Useful OpenSSL commands
$ openssl genrsa -des3 -out server.key 1024
or
$ openssl genrsa -out server.key 1024
note: the most browser only supports RSA 1024bit key. Not either DSA or 2048bit key.
$ openssl rsa -noout -text -in server.key
3. Create a decrypted PEM version of rsa private/public key pair
$ openssl rsa -des3 -in server.key -out server.key.new$ mv server.key.new server.key
or
$ openssl rsa -in server.key -out server.key.unsecure
4. create CSR file from private/public key pair file, will be in PEM format
$ openssl req -new -key server.key -out server.csr
5. view CSR file details
$ openssl req -noout -text -in server.csr
6. view CRT file detail
$ openssl x509 -noout -text -in server.crt
- Creating a certificate authority and certificates with opensslrefer to http://www.octaldream.com/~scottm/talks/ssl/opensslca.html
use /usr/local/openssl/misc/ca or /usr/share/openssl/misc/ca or the following manual process:
Create a RSA private key for your CA (same process as generating a rsa private/public key pair)
$ openssl genrsa -des3 -out ca.key 1024
Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand): $ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
- Finally, private key and certificate must match, use the following commands to do it:
$ openssl x509 -noout -modulus -in server.crt openssl md5$ openssl rsa -noout -modulus -in server.key openssl md5
$ openssl req -noout -modulus -in server.csr openssl md5
- convert PEM to DER format
The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file
cert.pem into the corresponding DER file cert.der with the following command:
$ openssl x509 -in cert.pem -out cert.der -outform DER- how to generate .pem/.csr/.crt/ etc certificate files.
cd /usr/share/ssl/certs
make server.pem
make server.crt
etc
- Useful URLs
- http://www.modssl.org/docs/2.8/ssl_faq.html#ToC27
- http://www.herongyang.com/crypto/openssl_rsa.html
0 comments:
Post a Comment