1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
README
0. Passwords
For all files the password is "secret".
1. Files list
cakey.pem Root CA private key
cacert.pem Root CA for cakey.pem
ca2key.pem RSA private key
ca2cert.pem Second-level RSA cert for ca2key.pem
dsakey.pem DSA private key
dsacert.pem Third level DSA cert for dsakey.pem
rsakey.pem RSA private key
rsacert.pem Third level RSA cert for rsacert.pem
hmackey.bin HMAC key ('secret')
expired.key key for expired cert
expired.crt expired certificate
rsa2key.pem RSA private key
rsa2cert.pem Self signed RSA certificate with negative serial number
2. How certificates were generated:
A. Create new CA
- Change DAYS and CADAYS in CA.pl to 3650 (10 years)
> export SSLEAY_CONFIG="-config ./openssl.cnf"
> CA.pl -newca
> cp ./demoCA/cacert.pem .
> cp ./demoCA/private/cakey.pem .
> openssl x509 -text -in cacert.pem
B. Generate RSA key and second level CA
> openssl genrsa -out ca2key.pem
> openssl req -config ./openssl.cnf -new -key ca2key.pem -out ca2req.pem
> openssl ca -config ./openssl.cnf -cert cacert.pem -keyfile cakey.pem \
-out ca2cert.pem -infiles ca2req.pem
> openssl verify -CAfile cacert.pem ca2cert.pem
C. Generate and sign DSA key with second level CA
> openssl dsaparam -out dsakey.pem -genkey 512
> openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out dsacert.pem -infiles dsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
D. Generate and sign RSA key with second level CA
> openssl genrsa -out rsakey.pem
> openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out rsacert.pem -infiles rsareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
E. Generate and sign large RSA key with second level CA
> openssl genrsa -out largersakey.pem 4096
> openssl req -config ./openssl.cnf -new -key largersakey.pem -out largersareq.pem
> openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
-out largersacert.pem -infiles largersareq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem largersacert.pem
F. Generate and sign short-live RSA cert for "expired cert" test
> openssl genrsa -out expiredkey.pem
> openssl req -config ./openssl.cnf -new -days 1 -key expiredkey.pem \
-out expiredreq.pem
> openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \
-keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem
> openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem
3. Converting key and certs between PEM and DER formats
- Convert PEM private key file to DER file
RSA key:
> openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der
> openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der
> openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der
DSA key:
> openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der
- Convert PEM cert file to DER file
> openssl x509 -outform DER -in cacert.pem -out cacert.der
> openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
> openssl x509 -outform DER -in dsacert.pem -out dsacert.der
> openssl x509 -outform DER -in rsacert.pem -out rsacert.der
> openssl x509 -outform DER -in largersacert.pem -out largersacert.der
> openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der
- (optional) Convert PEM public key file to DER file
RSA key:
> openssl rsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
DSA key:
> openssl dsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
If you aren't sure if the public key is RSA or DSA, just run one of
the above commands, and the error messaging will make it clear :)
- (optional) Convert DER cert file to PEM file
> openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
4. Converting an unencrypted PEM or DER file containing a private key
to an encrypted PEM or DER file containing the same private key but
encrypted
> openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8
> openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8
> openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8
> openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \
-outform pem -topk8
> openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \
-outform der -topk8
5. NSS is unfriendly towards standalone private keys.
This procedure helps convert raw private keys into PKCS12 form that is
suitable for not only NSS but all crypto engines.
> cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
> openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
> cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12
> cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey.p12
> cat expiredkey.pem expiredcert.pem ca2cert.pem cacert.pem > allexpired.pem
> openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \
-out expiredkey.p12
5a.
Input: DSA/RSA private key in PEM or DER format
Output: A PKCS12 file containing the private key, and a self-signed
certificate with the corresponding public key
# first convert key file to PEM format, if not already in that format
> openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
# answer questions at the prompt
# Note: use a unique subject (=issuer) for each self-signed cert you
# create (since there is no way to specify serial # using the command
# below)
> openssl req -new -keyform <der|pem> -key key.<der|pem> -x509 -sha1 -days 999999 -outform pem -out cert.pem
# now using the cert and key in PEM format, conver them to a PKCS12 file
# enter some password on prompt
> openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> -out keycert.p12
# This pkcs12 file can be used directly on the xmlsec command line, or
# can be pre-loaded into the crypto engine database (if any).
# In the case of NSS, you can pre-load the key using pk12util.
# The key and cert will have the nickname "nickname" (used in above step)
> pk12util -d <nss_config_dir> -i keycert.p12
5b.
Input: DSA/RSA private key in PEM or DER format
KeyCert containing corresponding public key
Other certs in the chain leading from KeyCert to the root
Output: A PKCS12 file containing the private key, the KeyCert and the
certs in the chain
# first convert key file to PEM format, if not already in that format
> openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
# convert all cert files to PEM format, if not already in that format
> openssl x509 -inform der -outform pem -in cert.der -out cert.pem
# concatenate all cert.pem files created above to 1 file - allcerts.pem
> cat keycert.pem cert1.pem cert2.pem .... > allcerts.pem
# now using the certs and key in PEM format, conver them to a PKCS12 file
# enter some password on prompt
> openssl pkcs12 -export -in allcerts.pem -inkey key.pem \
-name <nickname of key & keycert>
[-caname <nickname of cert1> -caname <nickname of cert2>.... ]
-out keycert.p12
# This pkcs12 file can be used directly on the xmlsec command line, or
# can be pre-loaded into the crypto engine database (if any).
# In the case of NSS, you can pre-load the key using pk12util.
# The key and certs will have the nickname "nickname"
# (used in above step)
> pk12util -d <nss_config_dir> -i keycert.p12
6. On Windows, one needs to specify Crypto Service Provider (CSP) in the
pkcs12 file to ensure it is loaded correctly to be used with SHA2 algorithms.
Worse, the CSP is different for XP and older versions
Input: DSA/RSA private key in PEM or DER format
Output: A PKCS12 file containing the private key, and a self-signed
certificate with the corresponding public key. Plus the CSP
name to be used for this key/cert.
> cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
> openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
> cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-winxp.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)"
> openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey-win.p12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
|
