README 0. Passwords For all files the password is "secret". 1. Files list cakey.pem Root CA private key cacert.pem Root CA for cakey.pem ca2key.pem RSA private key ca2cert.pem Second-level RSA cert for ca2key.pem dsakey.pem DSA private key dsacert.pem Third level DSA cert for dsakey.pem rsakey.pem RSA private key rsacert.pem Third level RSA cert for rsacert.pem hmackey.bin HMAC key ('secret') expired.key key for expired cert expired.crt expired certificate rsa2key.pem RSA private key rsa2cert.pem Self signed RSA certificate with negative serial number 2. How certificates were generated: A. Create new CA - Change DAYS and CADAYS in CA.pl to 3650 (10 years) > export SSLEAY_CONFIG="-config ./openssl.cnf" > CA.pl -newca > cp ./demoCA/cacert.pem . > cp ./demoCA/private/cakey.pem . > openssl x509 -text -in cacert.pem B. Generate RSA key and second level CA > openssl genrsa -out ca2key.pem > openssl req -config ./openssl.cnf -new -key ca2key.pem -out ca2req.pem > openssl ca -config ./openssl.cnf -cert cacert.pem -keyfile cakey.pem \ -out ca2cert.pem -infiles ca2req.pem > openssl verify -CAfile cacert.pem ca2cert.pem C. Generate and sign DSA key with second level CA > openssl dsaparam -out dsakey.pem -genkey 512 > openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \ -out dsacert.pem -infiles dsareq.pem > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem D. Generate and sign RSA key with second level CA > openssl genrsa -out rsakey.pem > openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \ -out rsacert.pem -infiles rsareq.pem > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem E. Generate and sign large RSA key with second level CA > openssl genrsa -out largersakey.pem 4096 > openssl req -config ./openssl.cnf -new -key largersakey.pem -out largersareq.pem > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \ -out largersacert.pem -infiles largersareq.pem > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem largersacert.pem F. Generate and sign short-live RSA cert for "expired cert" test > openssl genrsa -out expiredkey.pem > openssl req -config ./openssl.cnf -new -days 1 -key expiredkey.pem \ -out expiredreq.pem > openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \ -keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem 3. Converting key and certs between PEM and DER formats - Convert PEM private key file to DER file RSA key: > openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der > openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der > openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der DSA key: > openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der - Convert PEM cert file to DER file > openssl x509 -outform DER -in cacert.pem -out cacert.der > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der > openssl x509 -outform DER -in dsacert.pem -out dsacert.der > openssl x509 -outform DER -in rsacert.pem -out rsacert.der > openssl x509 -outform DER -in largersacert.pem -out largersacert.der > openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der - (optional) Convert PEM public key file to DER file RSA key: > openssl rsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der DSA key: > openssl dsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der If you aren't sure if the public key is RSA or DSA, just run one of the above commands, and the error messaging will make it clear :) - (optional) Convert DER cert file to PEM file > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem 4. Converting an unencrypted PEM or DER file containing a private key to an encrypted PEM or DER file containing the same private key but encrypted > openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8 > openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8 > openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8 > openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8 > openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \ -outform pem -topk8 > openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \ -outform der -topk8 5. NSS is unfriendly towards standalone private keys. This procedure helps convert raw private keys into PKCS12 form that is suitable for not only NSS but all crypto engines. > cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem > openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12 > cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12 > cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey.p12 > cat expiredkey.pem expiredcert.pem ca2cert.pem cacert.pem > allexpired.pem > openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \ -out expiredkey.p12 5a. Input: DSA/RSA private key in PEM or DER format Output: A PKCS12 file containing the private key, and a self-signed certificate with the corresponding public key # first convert key file to PEM format, if not already in that format > openssl -inform der -outform pem -in key.der -out key.pem # answer questions at the prompt # Note: use a unique subject (=issuer) for each self-signed cert you # create (since there is no way to specify serial # using the command # below) > openssl req -new -keyform -key key. -x509 -sha1 -days 999999 -outform pem -out cert.pem # now using the cert and key in PEM format, conver them to a PKCS12 file # enter some password on prompt > openssl pkcs12 -export -in cert.pem -inkey key.pem -name -out keycert.p12 # This pkcs12 file can be used directly on the xmlsec command line, or # can be pre-loaded into the crypto engine database (if any). # In the case of NSS, you can pre-load the key using pk12util. # The key and cert will have the nickname "nickname" (used in above step) > pk12util -d -i keycert.p12 5b. Input: DSA/RSA private key in PEM or DER format KeyCert containing corresponding public key Other certs in the chain leading from KeyCert to the root Output: A PKCS12 file containing the private key, the KeyCert and the certs in the chain # first convert key file to PEM format, if not already in that format > openssl -inform der -outform pem -in key.der -out key.pem # convert all cert files to PEM format, if not already in that format > openssl x509 -inform der -outform pem -in cert.der -out cert.pem # concatenate all cert.pem files created above to 1 file - allcerts.pem > cat keycert.pem cert1.pem cert2.pem .... > allcerts.pem # now using the certs and key in PEM format, conver them to a PKCS12 file # enter some password on prompt > openssl pkcs12 -export -in allcerts.pem -inkey key.pem \ -name [-caname -caname .... ] -out keycert.p12 # This pkcs12 file can be used directly on the xmlsec command line, or # can be pre-loaded into the crypto engine database (if any). # In the case of NSS, you can pre-load the key using pk12util. # The key and certs will have the nickname "nickname" # (used in above step) > pk12util -d -i keycert.p12 6. On Windows, one needs to specify Crypto Service Provider (CSP) in the pkcs12 file to ensure it is loaded correctly to be used with SHA2 algorithms. Worse, the CSP is different for XP and older versions Input: DSA/RSA private key in PEM or DER format Output: A PKCS12 file containing the private key, and a self-signed certificate with the corresponding public key. Plus the CSP name to be used for this key/cert. > cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" > cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"