Wednesday, April 2, 2008

How to generate OpenSSL RSA/DSA private and public keys and certificates

1. Generating a RSA key
# openssl genrsa -out roger_rsa.key
# cat roger_rsa.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBALQzLRNx0hTPufHzeDigNDvmd92uQlgHfQ3qSrbrpy+RZB4LpmLE
xEMsQ9CoaDgixjrHQVdUX+tCeVuybp0NWK0CAwEAAQJAPQ1JrFjX0G1AlpTimmzM
xa6j1duAZsrCt8A1aBwXHKoXXUbWELE7r7JfCVDl+dP5tWtenwZDNsVQwM/C8ox/
EQIhAO8WuYOofg3YXZO0CxjLKQQV6z4/VtNMT0LnjD8b2c2nAiEAwPIgnNph3yDn
JR3EqCvJ5LddAM5sHTA3DrjEO+4LuYsCIBPU0rZ091+2nqxttq3rzA8mskiLgGwu
XDS0eBGUAdDpAiApKT412Ay7CgzliSUz7yuB5HAtxNuhmnCUbmxGkLDlowIhAI4n
MFX/zrbhaJY4SW5WHn+jiR0GZUM75yK5doKk8yCL
-----END RSA PRIVATE KEY-----
Note:RSA key contains both private and public keys.
2. Viewing the components of RSA key
Private-Key: (512 bit)
modulus:
00:b4:33:2d:13:71:d2:14:cf:b9:f1:f3:78:38:a0:
34:3b:e6:77:dd:ae:42:58:07:7d:0d:ea:4a:b6:eb:
a7:2f:91:64:1e:0b:a6:62:c4:c4:43:2c:43:d0:a8:
68:38:22:c6:3a:c7:41:57:54:5f:eb:42:79:5b:b2:
6e:9d:0d:58:ad
publicExponent: 65537 (0x10001)
privateExponent:
3d:0d:49:ac:58:d7:d0:6d:40:96:94:e2:9a:6c:cc:
c5:ae:a3:d5:db:80:66:ca:c2:b7:c0:35:68:1c:17:
1c:aa:17:5d:46:d6:10:b1:3b:af:b2:5f:09:50:e5:
f9:d3:f9:b5:6b:5e:9f:06:43:36:c5:50:c0:cf:c2:
f2:8c:7f:11
prime1:
00:ef:16:b9:83:a8:7e:0d:d8:5d:93:b4:0b:18:cb:
29:04:15:eb:3e:3f:56:d3:4c:4f:42:e7:8c:3f:1b:
d9:cd:a7
prime2:
00:c0:f2:20:9c:da:61:df:20:e7:25:1d:c4:a8:2b:
c9:e4:b7:5d:00:ce:6c:1d:30:37:0e:b8:c4:3b:ee:
0b:b9:8b
exponent1:
13:d4:d2:b6:74:f7:5f:b6:9e:ac:6d:b6:ad:eb:cc:
0f:26:b2:48:8b:80:6c:2e:5c:34:b4:78:11:94:01:
d0:e9
exponent2:
29:29:3e:35:d8:0c:bb:0a:0c:e5:89:25:33:ef:2b:
81:e4:70:2d:c4:db:a1:9a:70:94:6e:6c:46:90:b0:
e5:a3
coefficient:
00:8e:27:30:55:ff:ce:b6:e1:68:96:38:49:6e:56:
1e:7f:a3:89:1d:06:65:43:3b:e7:22:b9:76:82:a4:
f3:20:8b
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBALQzLRNx0hTPufHzeDigNDvmd92uQlgHfQ3qSrbrpy+RZB4LpmLE
xEMsQ9CoaDgixjrHQVdUX+tCeVuybp0NWK0CAwEAAQJAPQ1JrFjX0G1AlpTimmzM
xa6j1duAZsrCt8A1aBwXHKoXXUbWELE7r7JfCVDl+dP5tWtenwZDNsVQwM/C8ox/
EQIhAO8WuYOofg3YXZO0CxjLKQQV6z4/VtNMT0LnjD8b2c2nAiEAwPIgnNph3yDn
JR3EqCvJ5LddAM5sHTA3DrjEO+4LuYsCIBPU0rZ091+2nqxttq3rzA8mskiLgGwu
XDS0eBGUAdDpAiApKT412Ay7CgzliSUz7yuB5HAtxNuhmnCUbmxGkLDlowIhAI4n
MFX/zrbhaJY4SW5WHn+jiR0GZUM75yK5doKk8yCL
-----END RSA PRIVATE KEY-----

3. Encrypting the RSA key with DES.
# openssl rsa -in roger_rsa.key -des -out roger_rsa_des.key
This will read in a RSA key and encrypt it with DES-EDE3-CBC algorithm
#openssl genrsa -des3 -out roger_rsa_des.key
This will generate a RSA key with des encryption.
4. Generating self-signed Certificates

Certificate: A digitally signed statement from the issuer saying that the public key of the subject has some specific value.

The above definition is copied from the JDK 1.3.1 documentation. It has a couple of important terms:

  • "signed statement" - The certificate must be signed by the issuer with a digital signature.
  • "issuer" - The person or organization who is issuing this certificate.
  • "public key" - The public key of a key pair selected by the subject.
  • "subject" - The person or organization who owns the public key.

X.509 Certificate - A certificate written in X.509 standard format. X.509 standard was introduction in 1988. It requires a certificate to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information

Generating Self-Signed Certificates

A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other words, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.

If you want to generate a self-signed certificate for yourself, here what you to need to do:

  • Enter your own name as the "subject".
  • Provide your public key.
  • Sign it with your private key.
  • Put everything in the X.509 format.
Here's the command to generate a self-signed certificates based on a RSA key pair file, roger_rsades.key
#openssl req -new -key roger_rsa_des.key -x509 -out roger.crt
 -config openssl.cnf

$ cat roger.crt
-----BEGIN CERTIFICATE-----
MIIC3TCCAoegAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxETAPBgNVBAoTCEZvcnRp
bmV0MQwwCgYDVQQLEwNFbmcxETAPBgNVBAMTCFdlbmRlIExpMR8wHQYJKoZIhvcN
AQkBFhB3bGlAZm9ydGluZXQuY29tMB4XDTA4MDQwMzAwMTYwMloXDTA4MDUwMzAw
MTYwMlowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vu
bnl2YWxlMREwDwYDVQQKEwhGb3J0aW5ldDEMMAoGA1UECxMDRW5nMREwDwYDVQQD
EwhXZW5kZSBMaTEfMB0GCSqGSIb3DQEJARYQd2xpQGZvcnRpbmV0LmNvbTBcMA0G
CSqGSIb3DQEBAQUAA0sAMEgCQQC0My0TcdIUz7nx83g4oDQ75nfdrkJYB30N6kq2
66cvkWQeC6ZixMRDLEPQqGg4IsY6x0FXVF/rQnlbsm6dDVitAgMBAAGjgeMwgeAw
HQYDVR0OBBYEFAC/Mk5gQKdJ3I4FQgn7bm/FHN9xMIGwBgNVHSMEgagwgaWAFAC/
Mk5gQKdJ3I4FQgn7bm/FHN9xoYGJpIGGMIGDMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UEChMIRm9ydGluZXQxDDAK
BgNVBAsTA0VuZzERMA8GA1UEAxMIV2VuZGUgTGkxHzAdBgkqhkiG9w0BCQEWEHds
aUBmb3J0aW5ldC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAANB
ABn3An7PFvP1IF879EnPRApzfN4LOC7yUi40DkYLCpy3Hqguhp/dQdc3zxldXMfj
cR81u2HXp6nrt/W8/d58TFk=
-----END CERTIFICATE-----
6. Viewing the certificate
$ openssl x509 -in roger.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=CA, L=Sunnyvale, O=Fortinet, OU=Eng, CN=Wende Li/emailAddress=wli@fortinet.com
Validity
Not Before: Apr 3 00:16:02 2008 GMT
Not After : May 3 00:16:02 2008 GMT
Subject: C=US, ST=CA, L=Sunnyvale, O=Fortinet, OU=Eng, CN=Wende Li/emailAddress=wli@fortinet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b4:33:2d:13:71:d2:14:cf:b9:f1:f3:78:38:a0:
34:3b:e6:77:dd:ae:42:58:07:7d:0d:ea:4a:b6:eb:
a7:2f:91:64:1e:0b:a6:62:c4:c4:43:2c:43:d0:a8:
68:38:22:c6:3a:c7:41:57:54:5f:eb:42:79:5b:b2:
6e:9d:0d:58:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
00:BF:32:4E:60:40:A7:49:DC:8E:05:42:09:FB:6E:6F:C5:1C:DF:71
X509v3 Authority Key Identifier:
keyid:00:BF:32:4E:60:40:A7:49:DC:8E:05:42:09:FB:6E:6F:C5:1C:DF:71
DirName:/C=US/ST=CA/L=Sunnyvale/O=Fortinet/OU=Eng/CN=Wende Li/emailAddress=wli@fortinet.com
serial:00

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
19:f7:02:7e:cf:16:f3:f5:20:5f:3b:f4:49:cf:44:0a:73:7c:
de:0b:38:2e:f2:52:2e:34:0e:46:0b:0a:9c:b7:1e:a8:2e:86:
9f:dd:41:d7:37:cf:19:5d:5c:c7:e3:71:1f:35:bb:61:d7:a7:
a9:eb:b7:f5:bc:fd:de:7c:4c:59
Note: the issuer and subject are identical as it is self-signed certificate.
  • The subject's public key is included in it
  • The certificate is valid for one month(April 3 to May 3)
  • The certicate is signed by the issuer with signature at the end
8.Certification path testing with OpenSSL
1. Generate a self-signed certificate for roger
* Generating keys for roger
openssl genrsa -des3 -out roger_rsa.key
* Generating a self-signed cerfiticate for roger
openssl req -new key roger_rsa.key -x509 -out roger.crt -config openssl.cnf

2. Generating keys for john
openssl genrsa -des3 -out john_rsa.key
3. Generating a certificate signing request for john
openssl req -new -key john_rsa.key -out john.csr -config openssl.cnf
4. Signing a john 's request by roger's key
openssl x509 -req -in john.csr -CA roger.crt -CAkey roger_rsa.key -out john.crt -set_serial 3
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)