Difference between revisions of "OpenSSL"
(First save) |
(Added signing a CSR) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
Will be fleshed out as time allows. | Will be fleshed out as time allows. | ||
== Creating and using S/MIME == | |||
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client. | |||
First, generate your new key for the sender: | |||
<pre>$ openssl genrsa -out smime.key 2048</pre> | |||
Then create a [[Certificate Signing Request]]: | |||
<pre>$ openssl req -new -key smime.key -out smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:Leeds | |||
Locality Name (eg, city) []:Leeds | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Palfreman Trading Ltd | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william@palfreman.com | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
Then sign the [[Certificate Signing Request|CSR]] using your own [[Certificate Authority]]. | |||
<pre>$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt</pre> | |||
Then the receiver needs to create a key and a certificate signing request. This is their server. | |||
<pre>$ openssl genrsa -out sender-smime.key 2048 | |||
Generating RSA private key, 2048 bit long modulus (2 primes) | |||
........................................................................................+++++ | |||
........+++++ | |||
</pre> | |||
Then create the Certificate Request using the new key | |||
<pre> | |||
$ openssl req -new -key sender-smime.key -out sender-smime.csr | |||
You are about to be asked to enter information that will be incorporated | |||
into your certificate request. | |||
What you are about to enter is what is called a Distinguished Name or a DN. | |||
There are quite a few fields but you can leave some blank | |||
For some fields there will be a default value, | |||
If you enter '.', the field will be left blank. | |||
----- | |||
Country Name (2 letter code) [AU]:GB | |||
State or Province Name (full name) [Some-State]:London | |||
Locality Name (eg, city) []:LONDON | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester | |||
Organizational Unit Name (eg, section) []:Grantchester HostCo | |||
Common Name (e.g. server FQDN or YOUR name) []:William Palfreman | |||
Email Address []:william.palfreman@grantchester.ac.uk | |||
Please enter the following 'extra' attributes | |||
to be sent with your certificate request | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate | |||
<pre> | |||
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Then pass the receiver sender certificate back to the sending server. | |||
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.] | |||
== Keys and CSRs for websites == | |||
=== Create Key === | |||
Create the new RSA key. This should be done for each new certificate and should remain on the server it is intended for. | |||
<pre>$ openssl genrsa -out www.mydomain.com.key 2048 | |||
$ chmod 400 www.mydomain.com.key</pre> | |||
=== Create CSR === | |||
# Make a local copy of openssl.cnf | |||
# Uncomment the line about v3_extensions<pre>req_extensions = v3_req</pre> | |||
# Add a subjectAltName under basicConstraints and keyUsage in <i>[ v3_req ]</i> section. | |||
<pre>[ v3_req ] | |||
basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com</pre> | |||
There is some debate whether wildcard domains can be SANs. I think they can.<p> | |||
Now create the CSR for the website.<pre>$ openssl req -new -key www.mydomain.com.key -sha256 -config openssl.cnf -subj '/C=GB/ST=Yorkshire/L=Leeds/O=Company Name/OU=Company IT Dept/CN=www.mydomain.com' > www.mydomain.com.csr</pre> | |||
The file <i>www.mydomain.com.csr</i> can be provided to the certificate authority for signing. | |||
=== Signing Cert with own CA === | |||
This assumes you have your own certificate authority as many people do for internal use. In this example the above CSR has been sent to you to sign. | |||
# Create this file in the directory where the CSR is | |||
<pre>cat mydomain-extensions.cnf | |||
[ v3_req ] | |||
# Extensions to add to a certificate request | |||
basicConstraints = CA:FALSE | |||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |||
subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com | |||
[ ca_extensions ] | |||
subjectKeyIdentifier = hash | |||
authorityKeyIdentifier = keyid:always, issuer | |||
basicConstraints = critical, CA:true | |||
keyUsage = keyCertSign, cRLSign</pre> | |||
# Sign the CSR to make the certificate | |||
<pre>intermediate$ openssl x509 -req -days 1830 -in csr/www.mydomain.com.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -extensions v3_req -extfile extensions.cnf -set_serial 1 -out mydomain.com/www.mydomain.com.crt | |||
Certificate request self-signature ok | |||
subject=C = GB, ST = Yorkshire, L = Leeds, O = Company Name, CN = www.mydomain.com | |||
Enter pass phrase for private/intermediate.key:</pre> | |||
Now you have created the certificate, check all the details are correct: | |||
<pre> | |||
$ openssl x509 -text -noout -in www.mydomain.com.crt | |||
Certificate: | |||
Data: | |||
Version: 3 (0x2) | |||
Serial Number: 1 (0x1) | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Issuer: C = GB, ST = England, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA | |||
Validity | |||
Not Before: Aug 7 18:57:24 2024 GMT | |||
Not After : Aug 11 18:57:24 2029 GMT | |||
Subject: C = GB, ST = Yorkshire, L = Leeds, O = My Company Name, CN = www.mydomain.com | |||
Subject Public Key Info: | |||
Public Key Algorithm: rsaEncryption | |||
Public-Key: (4096 bit) | |||
Modulus:<snipped> | |||
Exponent: 65537 (0x10001) | |||
X509v3 extensions: | |||
X509v3 Basic Constraints: | |||
CA:FALSE | |||
X509v3 Key Usage: | |||
Digital Signature, Non Repudiation, Key Encipherment | |||
X509v3 Subject Alternative Name: | |||
DNS:mydomain.com, DNS:www.mydomain.com | |||
X509v3 Subject Key Identifier: | |||
<snipped> | |||
X509v3 Authority Key Identifier: | |||
<snipped> | |||
Signature Algorithm: sha256WithRSAEncryption | |||
Signature Value:<snipped></pre> | |||
=== Moduli === | |||
You must check the moduli line up on the server. Each file, the RSA, the CSR and the certificate should have the same modulus. You can append you ca-chain.pem to the certificate file. OpenSSL will only look at the first. | |||
<pre>$ sudo openssl rsa -modulus -noout -in private/www.mydomain.com.key | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl x509 -modulus -noout -in www.mydomain.com.crt | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 | |||
$ openssl req -modulus -noout -in www.mydomain.com.csr | openssl md5 | |||
(stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672</pre> | |||
Then the certificate can be fitted to the webserver. | |||
== Writing random seed with writerand == | |||
Sometimes openssl lacks a random seed and fails. You can easily create a file for this. | |||
<pre>$ openssl rand -writerand $HOME/.rnd</pre> |
Latest revision as of 20:05, 7 August 2024
OpenSSLis the widely used encryption layer in UNIX operating systems. The most common day to day use is providing transport layer security to websites, such as this one and indicated by the use of https in the URL.
Points to be covered in this document
- Generating a private key
- Generating a Certificate Signing Request
- Fitting an SSL key
- Verification
- Starting a Certificate Authority.
Will be fleshed out as time allows.
Creating and using S/MIME
This is how to create a self-signed S/MIME certificate, used for email encryption and decryption in an email client.
First, generate your new key for the sender:
$ openssl genrsa -out smime.key 2048
Then create a Certificate Signing Request:
$ openssl req -new -key smime.key -out smime.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Leeds Locality Name (eg, city) []:Leeds Organization Name (eg, company) [Internet Widgits Pty Ltd]:Palfreman Trading Ltd Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:William Palfreman Email Address []:william@palfreman.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Then sign the CSR using your own Certificate Authority.
$ openssl x509 -req -days 730 -in csr/smime.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -set_serial 1 -out ../smime/smime.crt
Then the receiver needs to create a key and a certificate signing request. This is their server.
$ openssl genrsa -out sender-smime.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................................................................+++++ ........+++++
Then create the Certificate Request using the new key
$ openssl req -new -key sender-smime.key -out sender-smime.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:London Locality Name (eg, city) []:LONDON Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Grantchester Organizational Unit Name (eg, section) []:Grantchester HostCo Common Name (e.g. server FQDN or YOUR name) []:William Palfreman Email Address []:william.palfreman@grantchester.ac.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The creates a certificate request (CSR) which isn't confidential but I won't list here. Take that CSR to your Certificate Authority (CA) and issue the certificate
$ openssl x509 -req -days 365 -in csr/grant.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -out grant.crt Certificate request self-signature ok subject=C = GB, ST = London, L = LONDON, O = University of Granchester, OU = HostCo, CN = William Palfreman, emailAddress = william.palfreman@grantchester.ac.uk Enter pass phrase for private/intermediate.key:
Then pass the receiver sender certificate back to the sending server.
[Next, details about the openssl pipeline to sign and encrypt the smime attachment.]
Keys and CSRs for websites
Create Key
Create the new RSA key. This should be done for each new certificate and should remain on the server it is intended for.
$ openssl genrsa -out www.mydomain.com.key 2048 $ chmod 400 www.mydomain.com.key
Create CSR
- Make a local copy of openssl.cnf
- Uncomment the line about v3_extensions
req_extensions = v3_req
- Add a subjectAltName under basicConstraints and keyUsage in [ v3_req ] section.
[ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com
There is some debate whether wildcard domains can be SANs. I think they can.
Now create the CSR for the website.
$ openssl req -new -key www.mydomain.com.key -sha256 -config openssl.cnf -subj '/C=GB/ST=Yorkshire/L=Leeds/O=Company Name/OU=Company IT Dept/CN=www.mydomain.com' > www.mydomain.com.csr
The file www.mydomain.com.csr can be provided to the certificate authority for signing.
Signing Cert with own CA
This assumes you have your own certificate authority as many people do for internal use. In this example the above CSR has been sent to you to sign.
- Create this file in the directory where the CSR is
cat mydomain-extensions.cnf [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:www.mydomain.com,DNS:mydomain.com,DNS:other.mydomain.com [ ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = keyCertSign, cRLSign
- Sign the CSR to make the certificate
intermediate$ openssl x509 -req -days 1830 -in csr/www.mydomain.com.csr -CA certs/intermediate.crt -CAkey private/intermediate.key -extensions v3_req -extfile extensions.cnf -set_serial 1 -out mydomain.com/www.mydomain.com.crt Certificate request self-signature ok subject=C = GB, ST = Yorkshire, L = Leeds, O = Company Name, CN = www.mydomain.com Enter pass phrase for private/intermediate.key:
Now you have created the certificate, check all the details are correct:
$ openssl x509 -text -noout -in www.mydomain.com.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = GB, ST = England, O = My Company, OU = My Company Certificate Authority, CN = My Company Intermediate CA Validity Not Before: Aug 7 18:57:24 2024 GMT Not After : Aug 11 18:57:24 2029 GMT Subject: C = GB, ST = Yorkshire, L = Leeds, O = My Company Name, CN = www.mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus:<snipped> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:mydomain.com, DNS:www.mydomain.com X509v3 Subject Key Identifier: <snipped> X509v3 Authority Key Identifier: <snipped> Signature Algorithm: sha256WithRSAEncryption Signature Value:<snipped>
Moduli
You must check the moduli line up on the server. Each file, the RSA, the CSR and the certificate should have the same modulus. You can append you ca-chain.pem to the certificate file. OpenSSL will only look at the first.
$ sudo openssl rsa -modulus -noout -in private/www.mydomain.com.key | openssl md5 (stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 $ openssl x509 -modulus -noout -in www.mydomain.com.crt | openssl md5 (stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672 $ openssl req -modulus -noout -in www.mydomain.com.csr | openssl md5 (stdin)= 5e7b29b4369f6f7a7f79e1d78c5dd672
Then the certificate can be fitted to the webserver.
Writing random seed with writerand
Sometimes openssl lacks a random seed and fails. You can easily create a file for this.
$ openssl rand -writerand $HOME/.rnd