1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
README
0. Passwords
For all files the password is "secret".
1. Files list
cakey.pem Root CA private key
cacert.pem Root CA for cakey.pem
ca2key.pem RSA private key
ca2cert.pem Second-level RSA cert for ca2key.pem
dsakey.pem DSA private key
dsacert.pem Third level DSA cert for dsakey.pem
dsa2048key.pem DSA private key (2048 bits)
dsa3072key.pem DSA private key (3072 bits)
rsakey.pem RSA private key
rsacert.pem Third level RSA cert for rsacert.pem
hmackey.bin HMAC key ('secret')
expired.key key for expired cert
expired.crt expired certificate
rsa2key.pem RSA private key
rsa2cert.pem Self signed RSA certificate with negative serial number
2. How certificates were generated:
A. Create new CA
- Change DAYS and CADAYS in CA.pl to 3650 (10 years)
> export SSLEAY_CONFIG="-config ./openssl.cnf"
> CA.pl -newca
> cp ./demoCA/cacert.pem .
> cp ./demoCA/private/cakey.pem .
> openssl x509 -text -in cacert.pem
B. Generate RSA key and second level CA
> openssl genrsa -out ca2key.pem
> openssl req -config ./openssl.cnf -new -key ca2key.pem -out ca2req.pem
> openssl ca -config ./openssl.cnf -cert cacert.pem -keyfile cakey.pem \
-out ca2cert.pem -infiles ca2req.pem
> openssl verify -CAfile cacert.pem ca2cert.pem
C. Generate and sign DSA key with second level CA
> openssl dsaparam -out dsakey.pem -genkey 1024
> openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
> openssl dsaparam -out dsa2048key.pem -genkey 2048
> openssl req -config ./openssl.cnf -new -key dsa2048key.pem -out dsa2048req.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out dsa2048cert.pem -infiles dsa2048req.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsa2048cert.pem
> openssl dsaparam -out dsa3072key.pem -genkey 3072
> openssl req -config ./openssl.cnf -new -key dsa3072key.pem -out dsa3072req.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out dsa3072cert.pem -infiles dsa3072req.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsa3072cert.pem
D. Generate and sign RSA key with second level CA
> openssl genrsa -out rsakey.pem
> openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out rsacert.pem -infiles rsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
E. Generate and sign large RSA key with second level CA
> openssl genrsa -out largersakey.pem 4096
> openssl req -config ./openssl.cnf -new -key largersakey.pem -out largersareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out largersacert.pem -infiles largersareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem largersacert.pem
F. Generate and sign short-live RSA cert for "expired cert" test
> openssl genrsa -out expiredkey.pem
> openssl req -config ./openssl.cnf -new -days 1 -key expiredkey.pem \
-out expiredreq.pem
> openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \
-keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem
G. Generate ECDSA key with second level CA
> openssl ecparam -list_curves
> openssl ecparam -name secp256k1 -genkey -noout -out ecdsa-secp256k1-key.pem
> openssl req -config ./openssl.cnf -new -key ecdsa-secp256k1-key.pem -out ecdsa-secp256k1-req.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out ecdsa-secp256k1-cert.pem -infiles ecdsa-secp256k1-req.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem ecdsa-secp256k1-cert.pem
> rm ecdsa-secp256k1-req.pem
3. Converting key and certs between PEM and DER formats
- Convert PEM private key file to DER file
RSA keys:
> openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der
> openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der
> openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der
DSA keys:
> openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der
> openssl dsa -inform PEM -outform DER -in dsa2048key.pem -out dsa2048key.der
> openssl dsa -inform PEM -outform DER -in dsa3072key.pem -out dsa3072key.der
ECDSA keys:
> openssl ec -inform PEM -outform DER -in ecdsa-secp256k1-key.pem -out ecdsa-secp256k1-key.der
- Convert PEM cert file to DER file
> openssl x509 -outform DER -in cacert.pem -out cacert.der
> openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
> openssl x509 -outform DER -in dsacert.pem -out dsacert.der
> openssl x509 -outform DER -in dsa2048cert.pem -out dsa2048cert.der
> openssl x509 -outform DER -in dsa3072cert.pem -out dsa3072cert.der
> openssl x509 -outform DER -in rsacert.pem -out rsacert.der
> openssl x509 -outform DER -in largersacert.pem -out largersacert.der
> openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der
> openssl x509 -outform DER -in ecdsa-secp256k1-cert.pem -out ecdsa-secp256k1-cert.der
- (optional) Convert PEM public key file to DER file
RSA key:
> openssl rsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
DSA key:
> openssl dsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
If you aren't sure if the public key is RSA or DSA, just run one of
the above commands, and the error messaging will make it clear :)
- (optional) Convert DER cert file to PEM file
> openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
4. Converting an unencrypted PEM or DER file containing a private key
to an encrypted PEM or DER file containing the same private key but
encrypted (the tests password is secret123):
> openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8
> openssl pkcs8 -in dsa2048key.pem -inform pem -out dsa2048key.p8-pem -outform pem -topk8
> openssl pkcs8 -in dsa2048key.der -inform der -out dsa2048key.p8-der -outform der -topk8
> openssl pkcs8 -in dsa3072key.pem -inform pem -out dsa3072key.p8-pem -outform pem -topk8
> openssl pkcs8 -in dsa3072key.der -inform der -out dsa3072key.p8-der -outform der -topk8
> openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8
> openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \
-outform pem -topk8
> openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \
-outform der -topk8
> openssl pkcs8 -in ecdsa-secp256k1-key.der -inform der -out ecdsa-secp256k1-key.p8-der \
-outform der -topk8
5. NSS is unfriendly towards standalone private keys.
This procedure helps convert raw private keys into PKCS12 form that is
suitable for not only NSS but all crypto engines (the tests password is secret123):
> cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
> openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
> cat dsa2048key.pem dsa2048cert.pem ca2cert.pem cacert.pem > alldsa2048.pem
> openssl pkcs12 -export -in alldsa2048.pem -name TestDsa2048Key -out dsa2048key.p12
> cat dsa3072key.pem dsa3072cert.pem ca2cert.pem cacert.pem > alldsa3072.pem
> openssl pkcs12 -export -in alldsa3072.pem -name TestDsa3072Key -out dsa3072key.p12
> cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12
> cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey.p12
> cat expiredkey.pem expiredcert.pem ca2cert.pem cacert.pem > allexpired.pem
> openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \
-out expiredkey.p12
> cat ecdsa-secp256k1-key.pem ecdsa-secp256k1-cert.pem ca2cert.pem cacert.pem > all-ecdsa-secp256k1.pem
> openssl pkcs12 -export -in all-ecdsa-secp256k1.pem -name TestEcdsaSecp256k1Key -out ecdsa-secp256k1-key.p12
> rm all-ecdsa-secp256k1.pem
5a.
Input: DSA/RSA private key in PEM or DER format
Output: A PKCS12 file containing the private key, and a self-signed
certificate with the corresponding public key
# first convert key file to PEM format, if not already in that format
> openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
# answer questions at the prompt
# Note: use a unique subject (=issuer) for each self-signed cert you
# create (since there is no way to specify serial # using the command
# below)
> openssl req -new -keyform <der|pem> -key key.<der|pem> -x509 -sha1 -days 999999 -outform pem -out cert.pem
# now using the cert and key in PEM format, conver them to a PKCS12 file
# enter some password on prompt
> openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> -out keycert.p12
# This pkcs12 file can be used directly on the xmlsec command line, or
# can be pre-loaded into the crypto engine database (if any).
# In the case of NSS, you can pre-load the key using pk12util.
# The key and cert will have the nickname "nickname" (used in above step)
> pk12util -d <nss_config_dir> -i keycert.p12
5b.
Input: DSA/RSA private key in PEM or DER format
KeyCert containing corresponding public key
Other certs in the chain leading from KeyCert to the root
Output: A PKCS12 file containing the private key, the KeyCert and the
certs in the chain
# first convert key file to PEM format, if not already in that format
> openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
# convert all cert files to PEM format, if not already in that format
> openssl x509 -inform der -outform pem -in cert.der -out cert.pem
# concatenate all cert.pem files created above to 1 file - allcerts.pem
> cat keycert.pem cert1.pem cert2.pem .... > allcerts.pem
# now using the certs and key in PEM format, conver them to a PKCS12 file
# enter some password on prompt
> openssl pkcs12 -export -in allcerts.pem -inkey key.pem \
-name <nickname of key & keycert>
[-caname <nickname of cert1> -caname <nickname of cert2>.... ]
-out keycert.p12
# This pkcs12 file can be used directly on the xmlsec command line, or
# can be pre-loaded into the crypto engine database (if any).
# In the case of NSS, you can pre-load the key using pk12util.
# The key and certs will have the nickname "nickname"
# (used in above step)
> pk12util -d <nss_config_dir> -i keycert.p12
6. On Windows, one needs to specify Crypto Service Provider (CSP) in the
pkcs12 file to ensure it is loaded correctly to be used with SHA2 algorithms.
Worse, the CSP is different for XP and older versions
Input: DSA/RSA private key in PEM or DER format
Output: A PKCS12 file containing the private key, and a self-signed
certificate with the corresponding public key. Plus the CSP
name to be used for this key/cert.
> cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
> cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
|
