|
|
 Parent Directory
|
Another HOWTO for generating PKI key pairs:
===============================================================================
Topics:
- Private Key
- Public Key
- Certificate
- Certificate Request
- Signed Certificate (Thawte, Verisign, etc.)
- Self Signed Certificate
===============================================================================
0. Typically, you will want to generate your private key and a CSR.
CSR, for those with CRS, is a Certificate Signing Request or
Certificate Request. It is what you will send to Thawte to sign.
Thawte will return your certificate, signed by them. Thawte is trusted,
so if they sign your Certificate, you will be trusted, too.
1. First we generate the private key (DES3 - 1024 bits):
# openssl genrsa -des3 -out www.domain.com.key 1024
NOTES:
To add a password to an existing private key, use the following command:
openssl -in www.domain.com.key -des3 -out www.domain.com.newkey
To remove a password from an existing private key, use the following command:
openssl -in www.domain.com.key -out www.domain.com.newkey
2. THe output is a file - let's view it:
$ cat www.domain.com.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,29D0FFCDD75DBF71
6FKPCFtbc2RXzMYFug+4bg6ODGNiZnKpQizcGGkr10pHmNZ7pXRueEy3f72X9AbP
2aOkAGR3E6+dNOxVbg2S13zy//DwXNYg/n9w8m+XStXWGM7pH3lIQ0IyGiNRHBe0
qf7J3+XaUIfv7RgvD2xXKeGJcBPh1QMiDqKWmcp2QSZNprHx7va3ZkuJyJBUX+8J
szX8K2AuIN1mnhf7VmT3KFKmTx9HKDOL0C5aJ05Pbm4q0/mfKuQQPEpayPg2EUOT
36Af5fN6H3/OhTE+wy5Mnw0pNUqob0QHvWervtKglPBXpJ1oKuSHWA3sZu+gQDaU
wCPffG+GDyy/wLh3E71QycTQDqgs25Re/DC0MmrfNe8xEEzVwYgxNb7I/xU1W4PN
d2+OzGQfFKfF+OvM4IlUnTbidjj3X6lohc4kutFIcrYWVeUKHjSWqxVIkZqXCYvY
7+LEv3ZPhLrkzMG3tKvTYZweBeLCleyMj9XMncVRnIj6T0SGqc4OO7FNKwEgnsnG
iPLQAyiJoSKrlNIEv6UmMg1hDNqqsc0wbi5Rd4t4aZKrnVJIB6Q3lQO+a3mGgPqb
fKTDSQXnRcOqOSk2j5Kn6JiKM9XWNc4eLKfFcLjvjwbkfP6dedEed7QDnwSZqSRo
cOWEgzw+Vmqd5nWLTJZU6LslSxIdABewtCsmfAzDdJsRv9T6NI+/2ir2McukeVIY
OOeeHNwJfnIW3rwUIeSK3Qx4zT/N+KJOGs+WypIF++6LqLlH7bQclB/FCNO3gpzf
rjeqKow9nEK0CGfaPC+W4JKCXvdQUMMbs1fW7wQSNvO4tI5qINu2Pg==
-----END RSA PRIVATE KEY-----
################################################################
Option: CSR or Self-Sign your Certificate:
################################################################
3. So now we have a file with our new private key. Actually, its
both the private key and the the public key. Yep, you need
to give out your public key, but you can't give it out in this
format and simply trust that someone will only use the public
portion. Instead, you'll need to add some personal data to
the mix when you distribute your public key. The result, public
key plus publicly verifiable infomation about you, is your
certificate.
But how can you trust the certificate?
Well, either you sign it and you and everybody else must trust
yor (which works fine when its only you), or, you get some
universally trusted third party to sign it. The latter
requires a CSR and is discussed above.
3.a. Generate a self-signed cert from the private key:
Am putting this first because 1) either it is all you need, or
2) you will be sending your CSR off and waiting for a signed
certificate from the other end, and in the meantime you want
to get going with a temporary self-signed one in the meantime:
# openssl req -new -key www.mydomain.com.key -x509 -out www.mydomain.com.crt
Complete the prompts, and you'll have your temporary certificate.
3.b. Generate a CSR from the private key:
# openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr
You'll be prompted for details and afterward you'll have your CSR.
Let's take a look at it:
$ cat www.mydomain.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDbwAw8RfcqlKgLEshOkKJbU5GyjjsH82p6hQ96DH57j74K
vYAK5oB8V4y4D8vqhXcxW9ytHpF+2ZuOiQ0mr38hZgAWsVv5XqxwI2ukVnZ9rln+
AXA9vVbuXCGqQEeeGa2K3hIzxyy8WYw3KKlrUccTuynDv5vU3ugcD9Ob8uFSnQID
AQABoAAwDQYJKoZIhvcNAQEFBQADgYEAXkXq47QdTuBqmuAKdJJRfuxFgoGzZIMZ
ByWsrqgUJKucOuSe14DkmTPFQNayUivkEg4Xc9lUipL9PGDEys3zR9bR6LIG792d
HJ1h5TaPT32mc7ZeOEuNchuoOBWUFXwNnpPKV5uvK4Hc98AF6XN0rBOR6TpNI0Kp
t2GMNRv1ZKo=
-----END CERTIFICATE REQUEST-----
This CSR contains the info you entered, plus your public key.
When you get it back, it will be a signed certificate that is
distributed as part of your PKI. The public key is used to
encrypt the data sent to you and to decrypt the data you send
to them. The data you entered shows up when observing the
certificate visually (using the right tool of course).
Like this:
$ openssl asn1parse -in www.mydomain.com.csr
0:d=0 hl=4 l= 388 cons: SEQUENCE
4:d=1 hl=3 l= 238 cons: SEQUENCE
7:d=2 hl=2 l= 1 prim: INTEGER :00
10:d=2 hl=2 l= 69 cons: SEQUENCE
12:d=3 hl=2 l= 11 cons: SET
14:d=4 hl=2 l= 9 cons: SEQUENCE
16:d=5 hl=2 l= 3 prim: OBJECT :countryName
21:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
25:d=3 hl=2 l= 19 cons: SET
27:d=4 hl=2 l= 17 cons: SEQUENCE
29:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
34:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
46:d=3 hl=2 l= 33 cons: SET
48:d=4 hl=2 l= 31 cons: SEQUENCE
50:d=5 hl=2 l= 3 prim: OBJECT :organizationName
55:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
81:d=2 hl=3 l= 159 cons: SEQUENCE
84:d=3 hl=2 l= 13 cons: SEQUENCE
86:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
97:d=4 hl=2 l= 0 prim: NULL
99:d=3 hl=3 l= 141 prim: BIT STRING
243:d=2 hl=2 l= 0 cons: cont [ 0 ]
245:d=1 hl=2 l= 13 cons: SEQUENCE
247:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
258:d=2 hl=2 l= 0 prim: NULL
260:d=1 hl=3 l= 129 prim: BIT STRING
Yup, I took the defaults when entering the info...
4. Hey, that's gibberish. Where is my public key?
It's in the CSR...
$ openssl req -pubkey -in www.mydomain.com.csr
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbwAw8RfcqlKgLEshOkKJbU5Gy
jjsH82p6hQ96DH57j74KvYAK5oB8V4y4D8vqhXcxW9ytHpF+2ZuOiQ0mr38hZgAW
sVv5XqxwI2ukVnZ9rln+AXA9vVbuXCGqQEeeGa2K3hIzxyy8WYw3KKlrUccTuynD
v5vU3ugcD9Ob8uFSnQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDbwAw8RfcqlKgLEshOkKJbU5GyjjsH82p6hQ96DH57j74K
vYAK5oB8V4y4D8vqhXcxW9ytHpF+2ZuOiQ0mr38hZgAWsVv5XqxwI2ukVnZ9rln+
AXA9vVbuXCGqQEeeGa2K3hIzxyy8WYw3KKlrUccTuynDv5vU3ugcD9Ob8uFSnQID
AQABoAAwDQYJKoZIhvcNAQEFBQADgYEAXkXq47QdTuBqmuAKdJJRfuxFgoGzZIMZ
ByWsrqgUJKucOuSe14DkmTPFQNayUivkEg4Xc9lUipL9PGDEys3zR9bR6LIG792d
HJ1h5TaPT32mc7ZeOEuNchuoOBWUFXwNnpPKV5uvK4Hc98AF6XN0rBOR6TpNI0Kp
t2GMNRv1ZKo=
-----END CERTIFICATE REQUEST-----
5. I still don't see my public key. Can I have a better look?
Sure:
$ openssl req -text -in www.mydomain.com.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:c0:0c:3c:45:f7:2a:94:a8:0b:12:c8:4e:90:
a2:5b:53:91:b2:8e:3b:07:f3:6a:7a:85:0f:7a:0c:
7e:7b:8f:be:0a:bd:80:0a:e6:80:7c:57:8c:b8:0f:
cb:ea:85:77:31:5b:dc:ad:1e:91:7e:d9:9b:8e:89:
0d:26:af:7f:21:66:00:16:b1:5b:f9:5e:ac:70:23:
6b:a4:56:76:7d:ae:59:fe:01:70:3d:bd:56:ee:5c:
21:aa:40:47:9e:19:ad:8a:de:12:33:c7:2c:bc:59:
8c:37:28:a9:6b:51:c7:13:bb:29:c3:bf:9b:d4:de:
e8:1c:0f:d3:9b:f2:e1:52:9d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
5e:45:ea:e3:b4:1d:4e:e0:6a:9a:e0:0a:74:92:51:7e:ec:45:
82:81:b3:64:83:19:07:25:ac:ae:a8:14:24:ab:9c:3a:e4:9e:
d7:80:e4:99:33:c5:40:d6:b2:52:2b:e4:12:0e:17:73:d9:54:
8a:92:fd:3c:60:c4:ca:cd:f3:47:d6:d1:e8:b2:06:ef:dd:9d:
1c:9d:61:e5:36:8f:4f:7d:a6:73:b6:5e:38:4b:8d:72:1b:a8:
38:15:94:15:7c:0d:9e:93:ca:57:9b:af:2b:81:dc:f7:c0:05:
e9:73:74:ac:13:91:e9:3a:4d:23:42:a9:b7:61:8c:35:1b:f5:
64:aa
-----BEGIN CERTIFICATE REQUEST-----
MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDbwAw8RfcqlKgLEshOkKJbU5GyjjsH82p6hQ96DH57j74K
vYAK5oB8V4y4D8vqhXcxW9ytHpF+2ZuOiQ0mr38hZgAWsVv5XqxwI2ukVnZ9rln+
AXA9vVbuXCGqQEeeGa2K3hIzxyy8WYw3KKlrUccTuynDv5vU3ugcD9Ob8uFSnQID
AQABoAAwDQYJKoZIhvcNAQEFBQADgYEAXkXq47QdTuBqmuAKdJJRfuxFgoGzZIMZ
ByWsrqgUJKucOuSe14DkmTPFQNayUivkEg4Xc9lUipL9PGDEys3zR9bR6LIG792d
HJ1h5TaPT32mc7ZeOEuNchuoOBWUFXwNnpPKV5uvK4Hc98AF6XN0rBOR6TpNI0Kp
t2GMNRv1ZKo=
-----END CERTIFICATE REQUEST-----
6. My private key. I gotta see my private key now, too.
$ openssl rsa -noout -text -in www.mydomain.com.key
Enter pass phrase for www.mydomain.com.key:
Private-Key: (1024 bit)
modulus:
00:db:c0:0c:3c:45:f7:2a:94:a8:0b:12:c8:4e:90:
a2:5b:53:91:b2:8e:3b:07:f3:6a:7a:85:0f:7a:0c:
7e:7b:8f:be:0a:bd:80:0a:e6:80:7c:57:8c:b8:0f:
cb:ea:85:77:31:5b:dc:ad:1e:91:7e:d9:9b:8e:89:
0d:26:af:7f:21:66:00:16:b1:5b:f9:5e:ac:70:23:
6b:a4:56:76:7d:ae:59:fe:01:70:3d:bd:56:ee:5c:
21:aa:40:47:9e:19:ad:8a:de:12:33:c7:2c:bc:59:
8c:37:28:a9:6b:51:c7:13:bb:29:c3:bf:9b:d4:de:
e8:1c:0f:d3:9b:f2:e1:52:9d
publicExponent: 65537 (0x10001)
privateExponent:
2a:04:6f:92:7a:c2:46:d7:03:c6:92:41:d0:9b:e1:
1f:5b:3c:49:8a:de:88:a7:a7:5d:63:e1:d0:b1:60:
e1:d9:5b:3a:0c:7f:d6:15:ba:cd:8b:a3:f1:71:bb:
c8:cc:da:3c:8a:d7:08:17:07:34:dd:00:dc:61:22:
2d:9a:72:d1:22:38:af:25:2a:33:1a:fe:8c:fd:79:
f9:76:5f:95:56:f7:e6:21:7e:00:c8:6a:31:1f:4a:
72:01:03:d4:5b:9b:a9:84:8e:8a:5a:8d:5d:28:1b:
b7:ed:3c:c8:c5:e1:7e:ee:15:12:9e:5e:0b:17:6b:
3b:f1:e1:53:d7:a3:f0:21
prime1:
00:f7:c3:b1:97:0d:ee:b9:02:50:8a:9c:54:33:e8:
0e:87:8c:44:0e:64:31:30:c8:17:42:ce:bd:20:36:
1b:ed:5d:9b:56:2f:32:4d:6c:1a:2f:1e:33:24:51:
d7:15:92:d6:0a:85:71:f4:b0:ef:d2:7f:8e:8f:46:
6d:09:5a:6a:25
prime2:
00:e3:0d:f8:d4:92:8e:59:e0:f4:c1:8b:f0:36:4f:
84:87:a2:40:2e:bd:25:32:df:ab:0b:1d:2b:b0:df:
fa:ec:05:4e:03:13:0e:b1:05:04:32:4c:2f:1a:73:
da:60:3c:65:69:ca:fa:58:9a:16:5a:fe:50:11:9d:
59:38:d6:91:19
exponent1:
00:a1:87:d5:35:5d:21:01:3f:70:11:1e:60:8b:42:
c4:8e:3c:b5:76:08:7e:45:86:7e:1b:d1:3b:5e:4f:
c8:9f:55:42:db:ca:83:6a:14:8b:71:a2:a7:c7:0b:
10:46:01:68:48:8d:bd:c0:c0:c6:6a:1f:3d:6b:4d:
87:f2:ec:1e:7d
exponent2:
1c:24:70:32:10:d4:3a:09:aa:ec:8e:66:c0:a4:8c:
7d:af:3b:9b:4f:70:5b:e4:e3:33:66:73:32:e2:20:
1c:be:ef:93:6b:fa:47:30:a2:fb:84:fb:d5:a0:84:
71:a7:2a:be:b9:1c:dc:7c:84:c6:d4:7c:a2:22:49:
9b:c4:e4:89
coefficient:
00:b0:bc:3b:e8:6c:77:ec:a9:38:e1:db:f5:e3:8c:
0f:1f:f0:64:f0:32:57:e1:4d:3a:fe:1b:5e:07:b5:
49:61:0e:99:ec:2f:51:63:7c:49:04:f2:59:c6:89:
7c:8d:53:61:38:4d:72:87:5c:ae:1f:7b:51:df:a2:
18:3a:96:5b:55
7. What's all that other stuff ?
You ask too many questions.
|
|
|
|
|
|
|
|
![[ Statistics by AWStats ]](/local_icons/LAMP/awstats_logo.png)
|
|
|
|
|
|
|
In an effort to provide a service of value to the open source community, I've put together this website that containing many of my notes and references.
This website is not authoritative and it is certainly not without errors; it is a work in progress.
In addition to my contributions you will also find the work of others. Where the work is not mine, I have tried to indicate that, and to reference the source of the work: by citing the original author, retaining the authors' name and license wherever present, or by placing the work in a suitably named URL containg /external/ in the path. If you find any work here that should not be publically available, please send me a note and it will be removed.
As for my contributions, you are free to use any of *MY* notes or code from this website unless specifically instructed otherwise.
Brett Lee, Ph.D., President & CEO
Everything Penguin, Inc.
|
|
|
![[ Powered by Red Hat Linux ]](/local_icons/LAMP/redhat_pb.gif){kind=icon}
![[ Powered by Apache Server]](/local_icons/LAMP/apache_pb.gif){kind=icon}
![[ Powered by MySQL ]](/local_icons/LAMP/mysql_pb.gif){kind=icon}