Pages

Monday, November 2, 2015

Certificates Manipulation with Open SSL

Download Open ssl binaries for windows here: Windows Openssl.

Before Going to certificates we will go through the some talks below:

To Generate Certificate we need Private key, this key will be generated by RSA algorithm
RSA is a cryptosystem for private-key encryption, and is widely used for securing sensitive data over internet.
RSA stands for Rivest-Shamir-Adleman were the 3 persons last names who described the RSA algorithm.

.PEM Defined in RFC's 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.  
Normally it contains the chain of certificates.
.key This is a PEM formatted file containing just the private-key of a specific certificate
CSR is  Certificate Signing Request, basically this is the input file for generate Certificates(.CRT)
CRT is Certificate, which content not fully encoded certificate, it was same like .crt .cert, .cer
.pkcs12 .pfx .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted.

Steps to Generate Certificate
  1. Generate a private key using RSA
    >openssl genrsa -out root_ca.key 4096

    Loading 'screen' into random state - done
    Generating RSA private key, 4096 bit long modulus
    ....................................................
    ...................++
    e is 65537 (0x10001)

    If you want to password-protect this key, add option -des3.
  2. Generate Root CA certificate by any one of following ways:
    1.  Generate new root CA Certificate(.crt) directly by above private key
      The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.
      >openssl req -new -x509 -days 1826 -key root_ca.key -out root_ca.crt -sha256
      Loading 'screen' into random state - done
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:IN
      State or Province Name (full name) [Some-State]:TAMILNADU
      Locality Name (eg, city) []:MADRAS
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:HCL
      Organizational Unit Name (eg, section) []:BROSS
      Common Name (e.g. server FQDN or YOUR name) []:RAJA
      Email Address []:RAJA@ERICSSON.COM
    2. Generate new root CA Certificate(.crt) using CSR(.csr)
      1. Generate CSR
        >openssl req -new -x509 -days 1826 -key root_ca.key -out root_ca.csr -sha256
        Loading 'screen' into random state - done
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [AU]:IN
        State or Province Name (full name) [Some-State]:TAMILNADU
        Locality Name (eg, city) []:MADRAS
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:ERICSSON
        Organizational Unit Name (eg, section) []:CSI
        Common Name (e.g. server FQDN or YOUR name) []:SAISUDHAKAR
        Email Address []:ABC@DEF.COM

         
      2. Generate CRT by input the CSR
        >openssl x509 -days 3600 -in root_ca.csr -signkey root_ca.key -out root_csr_ca.crt
        Loading 'screen' into random state - done
        Getting Private key
            
  3. Create a Subordinate CA to used to under above Root CA
    1. First Generate Key:
      >openssl genrsa -out sub_ca.key 4096

      ..................................++
      ..............................++
      e is 65537 (0x10001)
    2. request a certificate for this subordinate CA:
      >openssl req -new -key sub_ca.key -out sub_ca.csr

      Loading 'screen' into random state - done
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [AU]:IN
      State or Province Name (full name) [Some-State]:TAMILNADU
      Locality Name (eg, city) []:MADRAS
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:HCL
      Organizational Unit Name (eg, section) []:BROSS
      Common Name (e.g. server FQDN or YOUR name) []:JEAN
      Email Address []:JEAN@HCL.COM

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:password
      An optional company name []:IBM
    3. process the request for the subordinate CA certificate and get it signed by the root CA.
      >openssl x509 -req -days 730 -in sub_ca.csr -CA root_ca.crt -CAkey root_ca.key -set_serial 01 -out sub_ca.crt
      Loading 'screen' into random state - done
      Signature ok
      subject=/C=IN/ST=TAMILNADU/L=MADRAS/O=HCL/OU=BROSS/CN=JEAN/emailAddress=JEAN@HCL.COM
      Getting CA Private Key
      The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert (-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.
      Like above we can create multiple sub ordinate CA under Root CA.
  4. To package the keys and certs(root CA and all subordinate CA) in a PKCS12 file
    >openssl pkcs12 -export -out sub_ca.p12 -inkey sub_ca.key -in sub_ca.crt -chain -CAfile root_ca.crt
    Loading 'screen' into random state - done
    Enter Export Password:
    Verifying - Enter Export Password:


  5. To view CSR contains
    If it is self-signed(root) CSR
    >openssl x509 -text -noout -in root_ca.csr
    If it is not self-signed CA
    >openssl req -text -noout -in sub_ca.csr
  6. To view CRT contains
    >openssl x509 -text -noout -in root_ca.crt

No comments:

Post a Comment