OpenSSL is an open-source
command-line tool that allows users to perform various SSL-related tasks.
Let's see how to create a
self-signed certificate with OpenSSL.
Step 1: Create a Private Key
A private key helps to enable
encryption, and is the most important component of our certificate.
First create a password-protected, 2048-bit RSA private key (domain.key)
with the openssl command:
openssl genrsa -des3 -out domain.key 2048
Enter a password when
prompted. The output will look like:
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
.........+++++
e is 65537 (0x010001)
Enter pass phrase for domain.key:
Verifying - Enter pass phrase for domain.key:
Note: For
unencrypted key files (not recommended), simply remove the -des3 option from
the command.
Step 2: Create a Certificate Signing Request(CSR)
Create a CSR (domain.csr) from our existing private key:
openssl req -key domain.key -new -out domain.csr
Enter the private key password and some CSR information
to complete the process. The output will look like:
Enter pass phrase for domain.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanay
Organizational Unit Name (eg, section) []:MyUnit
Common Name (e.g. server FQDN or YOUR name) []:itsecuritypundit.com
Email Address []:admin@itsecuritypundit.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
An important field is “Common Name,” which should be the exact Fully Qualified Domain Name (FQDN) of our domain.
“A challenge password” and “An optional company name” can
be left empty.
We can also create both the private key and CSR with a
single command:
openssl req -newkey rsa:2048 -keyout domain.key -out domain.csr
If we want our private key unencrypted, we can add the
-nodes option:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Step 3: Create a Self-Signed Certificate
A self-signed certificate is a certificate that's signed
with its own private key. It can be used to encrypt data just as well as
CA-signed certificates, but our users will be shown a warning that says the
certificate isn't trusted.
Create a self-signed certificate (domain.crt) with our
existing private key and CSR:
openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt
The -days option specifies the number of days that the
certificate will be valid.
We can create a self-signed certificate with just a
private key:
openssl req -key domain.key -new -x509 -days 365 -out domain.crt
This command will create a temporary CSR. We still have
the CSR information prompt, of course.
We can even create a private key and a self-signed
certificate with just a single command:
openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 365 -out domain.crt
Step 4: Creating a CA-Signed Certificate With Our
Own CA
We can be our own certificate authority (CA) by creating
a self-signed root CA certificate, and then installing it as a trusted
certificate in the local browser.
Step 4.1: Create a Self-Signed Root CA
Create a private key
(rootCA.key) and a self-signed root CA certificate (rootCA.crt) from the command
line:
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt
Step 4.2: Sign Our CSR With Root CA
Create a configuration
text-file (domain.ext) with the following content:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain
The “DNS.1” field
should be the domain of our website.
Then we can sign our CSR (domain.csr)
with the root CA certificate and its private key:
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 365 -CAcreateserial -extfile domain.ext
As a result, the CA-signed
certificate will be in the domain.crt file.
Step 5: View Certificates
Use the openssl command to view the contents of our certificate
in plain text:
openssl x509 -text -noout -in domain.crt
Extracting the certificate and keys from a .pfx file
The .pfx file, which is in a PKCS#12
format, contains the SSL certificate (public keys) and the corresponding
private keys. Sometimes, you might have to import the certificate and private
keys separately in an unencrypted plain text format to use it on another
system. This topic provides instructions on how to convert the .pfx file to
.crt and .key files.
Extract .crt and .key files from .pfx file
- Extract Private Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
- Extract the certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
- Decrypt the private key
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]
- Convert .pfx file to .pem format
openssl rsa -in [keyfile-encrypted.key] -outform PEM -out [keyfile-encrypted-pem.key]
Convert a certificate into the appropriate format
- Convert x509 to PEM
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
- Convert PEM to DER
openssl x509 -outform der -in certificatename.pem -out certificatename.der
- Convert DER to PEM
openssl x509 -inform der -in certificatename.der -out certificatename.pem
- Convert PEM to P7B
Note: The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.
A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
- Convert PKCS7 to PEM
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
- Convert pfx to PEM
Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Convert PFX to PKCS
Note: This requires 2 commands
- STEP 1: Convert PFX to PEM
openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem
- STEP 2: Convert PEM to PKCS8
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8
Convert P7B to PFX
Note: This requires 2 commands
- STEP 1: Convert P7B to CER
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
- STEP 2: Convert CER and Private Key to PFX
openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
No comments:
Post a Comment