Tuesday, June 18, 2013

Using OpenSSL for Basic Certificate Management

A few years ago, I collected quite a bit of OpenSSL info into a series of notes. Here it is, finally, for all to see. I wrote most of this in 2006, so it may need a slight refreshing. YMMV.

The problem is, nobody out there is consistently doing things the exact same way. I had to google for quite a while to collect all this information, all of which I regard as pretty damn basic stuff that really SHOULD be collected in one place.

A note on all the file formats:
  • PEM is the default style on openssl for *NIX.
  • DER is the default style on older Macs and Java.
  • NET is an outdated style on Netscape and IIS <= 4.0
  • PKCS#12 is a Microsoft-Specific style.
If you google around, you will find lots of people using instructions that name the file extension on all of their certs *.PEM. This is perfectly fine, but I find it confusing. Personally I only apply the PEM extension to concatenated certs. The cert should have CRT, Key should have KEY, signing request should have CSR, and revocation should have CRL.

PRIVATE KEY MANAGEMENT

openssl genrsa -out server.key 1024
This will create a non password encrypted key that you can use for whatever you want. Yes, having a password encrypted key is important, blah blah blah, but it's annoying as hell and lots of stuff just doesnt flat out support it.

Do it with a password:

openssl genrsa -des3 -out server.key 1024

Change the password:

openssl rsa -des3 -in server.key -out server.key.new
mv server.key.new server.key

You were a gump and put a password on it and want to take it off:

openssl rsa -in server.key -out server.key.unsecure
rm server.key

TO SEE THE KEY INFORMATION

openssl rsa -noout -text -in server.key

CERTIFICATE REQUEST MANAGEMENT

openssl req -new -key server.key -out server.csr
Now submit that csr to whatever authority you want, including your own.

TO SEE THE CSR INFORMATION

openssl req -noout -text -in server.csr

GENERATING A PRIVATE KEY AND CERTIFICATE REQUEST IN ONE COMMAND

openssl req -new -nodes -out req.csr -keyout server.key

TO SEE THE CERTIFICATE RESPONSE INFORMATION

openssl x509 -noout -text -in server.crt

COMBINING THE KEY AND CRT FILES INTO ONE PEM FILE

First, ensure the KEY and CRT files have no extraneous crap in them above the -----BEGIN---- lines or below the ----END--- line.
cat server.crt >> server.pem
cat server.key >> server.pem
server.pem should look like this:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: server.crt)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: server.key)
-----END RSA PRIVATE KEY-----

CERT FILE FORMAT MANAGEMENT

To convert a certificate from DER to PEM:

openssl x509 –in input.crt –inform DER –out output.crt –outform PEM

To convert a key from DER to PEM:

openssl rsa –in input.key –inform DER –out output.key –outform PEM

To convert a key from NET to PEM:

openssl rsa –in input.key –inform NET –out output.key –outform PEM

CREATING YOUR OWN CA

Create a SERVER private key.

openssl genrsa -des3 -out ca.key 1024
Don't be a dumbass and decrypt this one. Have a password on it and like it.

TO SEE THE INFO ON THIS

openssl rsa -noout -text -in ca.key

IF YOU FANCY YOURSELF A DUMBASS, DECRYPT THE KEY WITH THIS

openssl rsa -in ca.key -out ca.key.unsecure

Create a SERVER public key.

openssl req -new -x509 -days 365 -key ca.key -out ca.crt
This is the cert that you will need to install into browsers/keystores/whatever that will be using certs signed by this CA.


SIGNING CERTIFICATES WITH YOUR OWN CA

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

If you get a grumbling about the ca.crl file, do this instead:

echo "01" >ca.crl
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt

MAKING PEACE WITH MICROSOFT

Converting PEM (OpenSSL Default) to PKCS#12 (Microsoft Default):

openssl pkcs12 -export -in server.crt -inkey server.key -out bundle.p12
This will assign a passphrase to the file. Do it. This is one of the few times MS supports it.

You may need to assign a friendly name to the cert. If you have to, do it like this:

openssl pkcs12 -export -in server.crt -inkey server.key -name “Friendly Name” -out bundle.p12 

If you need to chain files, or include the ca key from a self signed cert:

openssl pkcs12 -export -in server.crt -inkey server.key -certfile ca.crt -out bundle.p12

Converting from Microsoft PKCS#12 to PEM

openssl pkcs12 -in appserver.pfx -out appserver.pem -nodes
This will convert a microsoft-exported certificate to a concatenated PEM file.