Difference between revisions of "OpenSSL"
Jump to navigation
Jump to search
(Adding creating S/MIMEs) |
(Added details for work in progress.) |
||
| Line 14: | Line 14: | ||
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | ||
First, generate your new key: | First, generate your new key for the sender: | ||
<pre>$ openssl genrsa -out smime.key 2048</pre> | <pre>$ openssl genrsa -out smime.key 2048</pre> | ||
Then create a [[Certificate Signing Request]]: | Then create a [[Certificate Signing Request]]: | ||
| Line 39: | Line 39: | ||
</pre> | </pre> | ||
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | ||
$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt | <pre>$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt</pre> | ||
Then the receiver needs to create a key and a certificate signing request. This is their server. | |||
<pre>$ openssl genrsa -out sender-smime.key 2048 | |||
Generating RSA private key, 2048 bit long modulus (2 primes) | |||
........................................................................................+++++ | |||
........+++++ | |||
Then create the Certificate Request using the new key | |||
<pre> | |||
$ openssl req -new -key sender-smime.key -out sender-smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:London | |||
Locality Name (eg, city) []:LONDON | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester | |||
Organizational Unit Name (eg, section) []:Grantchester HostCo | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william.palfreman@grantchester.ac.uk | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate | |||
<pre> | |||
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Then pass the receiver sender certificate back to the sending server. | |||
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.] | |||
Revision as of 20:52, 14 September 2022
OpenSSLis the widely used encryption layer in UNIX operating systems. The most common day to day use is providing transport layer security to websites, such as this one and indicated by the use of https in the URL.
Points to be covered in this document
- Generating a private key
- Generating a Certificate Signing Request
- Fitting an SSL key
- Verification
- Starting a Certificate Authority.
Will be fleshed out as time allows.
Creating and using S/MIME
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client.
First, generate your new key for the sender:
$ openssl genrsa -out smime.key 2048
Then create a Certificate Signing Request:
$ openssl req -new -key smime.key -out smime.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Leeds Locality Name (eg, city) []:Leeds Organization Name (eg, company) [Internet Widgits Pty Ltd]:Palfreman Trading Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:William Palfreman Email Address []:william@palfreman.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Then sign the CSR using your own Certificate Authority.
$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt
Then the receiver needs to create a key and a certificate signing request. This is their server.
$ openssl genrsa -out sender-smime.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................................................................+++++ ........+++++ Then create the Certificate Request using the new key <pre> $ openssl req -new -key sender-smime.key -out sender-smime.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:London Locality Name (eg, city) []:LONDON Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester Organizational Unit Name (eg, section) []:Grantchester HostCo Common Name (e.g. server FQDN or YOUR name) []:William Palfreman Email Address []:william.palfreman@grantchester.ac.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt Certificate request self-signature ok subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk Enter pass phrase for private/intermediate.key:
Then pass the receiver sender certificate back to the sending server.
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.]