summaryrefslogtreecommitdiff
path: root/tests/keys/README
diff options
context:
space:
mode:
Diffstat (limited to 'tests/keys/README')
-rw-r--r--tests/keys/README203
1 files changed, 203 insertions, 0 deletions
diff --git a/tests/keys/README b/tests/keys/README
new file mode 100644
index 00000000..14515024
--- /dev/null
+++ b/tests/keys/README
@@ -0,0 +1,203 @@
+README
+
+0. Passwords
+ For all files the password is "secret".
+
+1. Files list
+
+ cakey.pem Root CA private key
+ cacert.pem Root CA for cakey.pem
+ ca2key.pem RSA private key
+ ca2cert.pem Second-level RSA cert for ca2key.pem
+ dsakey.pem DSA private key
+ dsacert.pem Third level DSA cert for dsakey.pem
+ rsakey.pem RSA private key
+ rsacert.pem Third level RSA cert for rsacert.pem
+ hmackey.bin HMAC key ('secret')
+ expired.key key for expired cert
+ expired.crt expired certificate
+ rsa2key.pem RSA private key
+ rsa2cert.pem Self signed RSA certificate with negative serial number
+
+2. How certificates were generated:
+
+ A. Create new CA
+ - Change DAYS and CADAYS in CA.pl to 3650 (10 years)
+ > export SSLEAY_CONFIG="-config ./openssl.cnf"
+ > CA.pl -newca
+ > cp ./demoCA/cacert.pem .
+ > cp ./demoCA/private/cakey.pem .
+ > openssl x509 -text -in cacert.pem
+
+ B. Generate RSA key and second level CA
+ > openssl genrsa -out ca2key.pem
+ > openssl req -config ./openssl.cnf -new -key ca2key.pem -out ca2req.pem
+ > openssl ca -config ./openssl.cnf -cert cacert.pem -keyfile cakey.pem \
+ -out ca2cert.pem -infiles ca2req.pem
+ > openssl verify -CAfile cacert.pem ca2cert.pem
+
+ C. Generate and sign DSA key with second level CA
+ > openssl dsaparam -out dsakey.pem -genkey 512
+ > openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out dsacert.pem -infiles dsareq.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
+
+ D. Generate and sign RSA key with second level CA
+ > openssl genrsa -out rsakey.pem
+ > openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out rsacert.pem -infiles rsareq.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
+
+ E. Generate and sign large RSA key with second level CA
+ > openssl genrsa -out largersakey.pem 4096
+ > openssl req -config ./openssl.cnf -new -key largersakey.pem -out largersareq.pem
+ > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
+ -out largersacert.pem -infiles largersareq.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem largersacert.pem
+
+ F. Generate and sign short-live RSA cert for "expired cert" test
+ > openssl genrsa -out expiredkey.pem
+ > openssl req -config ./openssl.cnf -new -days 1 -key expiredkey.pem \
+ -out expiredreq.pem
+ > openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \
+ -keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem
+ > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem
+
+3. Converting key and certs between PEM and DER formats
+
+ - Convert PEM private key file to DER file
+ RSA key:
+ > openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der
+ > openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der
+ > openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der
+ DSA key:
+ > openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der
+
+ - Convert PEM cert file to DER file
+ > openssl x509 -outform DER -in cacert.pem -out cacert.der
+ > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
+ > openssl x509 -outform DER -in dsacert.pem -out dsacert.der
+ > openssl x509 -outform DER -in rsacert.pem -out rsacert.der
+ > openssl x509 -outform DER -in largersacert.pem -out largersacert.der
+ > openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der
+
+ - (optional) Convert PEM public key file to DER file
+ RSA key:
+ > openssl rsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
+ DSA key:
+ > openssl dsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
+
+ If you aren't sure if the public key is RSA or DSA, just run one of
+ the above commands, and the error messaging will make it clear :)
+
+ - (optional) Convert DER cert file to PEM file
+ > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
+
+4. Converting an unencrypted PEM or DER file containing a private key
+ to an encrypted PEM or DER file containing the same private key but
+ encrypted
+ > openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8
+ > openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8
+ > openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8
+ > openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8
+ > openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \
+ -outform pem -topk8
+ > openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \
+ -outform der -topk8
+
+5. NSS is unfriendly towards standalone private keys.
+ This procedure helps convert raw private keys into PKCS12 form that is
+ suitable for not only NSS but all crypto engines.
+
+ > cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
+ > openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
+
+ > cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
+ > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12
+
+ > cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
+ > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey.p12
+
+ > cat expiredkey.pem expiredcert.pem ca2cert.pem cacert.pem > allexpired.pem
+ > openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \
+ -out expiredkey.p12
+
+
+ 5a.
+ Input: DSA/RSA private key in PEM or DER format
+ Output: A PKCS12 file containing the private key, and a self-signed
+ certificate with the corresponding public key
+
+ # first convert key file to PEM format, if not already in that format
+ > openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
+
+ # answer questions at the prompt
+ # Note: use a unique subject (=issuer) for each self-signed cert you
+ # create (since there is no way to specify serial # using the command
+ # below)
+ > openssl req -new -keyform <der|pem> -key key.<der|pem> -x509 -sha1 -days 999999 -outform pem -out cert.pem
+
+ # now using the cert and key in PEM format, conver them to a PKCS12 file
+ # enter some password on prompt
+ > openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> -out keycert.p12
+
+ # This pkcs12 file can be used directly on the xmlsec command line, or
+ # can be pre-loaded into the crypto engine database (if any).
+
+ # In the case of NSS, you can pre-load the key using pk12util.
+ # The key and cert will have the nickname "nickname" (used in above step)
+ > pk12util -d <nss_config_dir> -i keycert.p12
+
+ 5b.
+ Input: DSA/RSA private key in PEM or DER format
+ KeyCert containing corresponding public key
+ Other certs in the chain leading from KeyCert to the root
+ Output: A PKCS12 file containing the private key, the KeyCert and the
+ certs in the chain
+
+ # first convert key file to PEM format, if not already in that format
+ > openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
+
+ # convert all cert files to PEM format, if not already in that format
+ > openssl x509 -inform der -outform pem -in cert.der -out cert.pem
+
+ # concatenate all cert.pem files created above to 1 file - allcerts.pem
+ > cat keycert.pem cert1.pem cert2.pem .... > allcerts.pem
+
+ # now using the certs and key in PEM format, conver them to a PKCS12 file
+ # enter some password on prompt
+ > openssl pkcs12 -export -in allcerts.pem -inkey key.pem \
+ -name <nickname of key & keycert>
+ [-caname <nickname of cert1> -caname <nickname of cert2>.... ]
+ -out keycert.p12
+
+ # This pkcs12 file can be used directly on the xmlsec command line, or
+ # can be pre-loaded into the crypto engine database (if any).
+
+ # In the case of NSS, you can pre-load the key using pk12util.
+ # The key and certs will have the nickname "nickname"
+ # (used in above step)
+ > pk12util -d <nss_config_dir> -i keycert.p12
+
+6. On Windows, one needs to specify Crypto Service Provider (CSP) in the
+pkcs12 file to ensure it is loaded correctly to be used with SHA2 algorithms.
+Worse, the CSP is different for XP and older versions
+
+
+ Input: DSA/RSA private key in PEM or DER format
+ Output: A PKCS12 file containing the private key, and a self-signed
+ certificate with the corresponding public key. Plus the CSP
+ name to be used for this key/cert.
+
+
+ > cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
+ > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
+ > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
+
+
+ > cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
+ > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
+ > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-16 19:37:52 +0000