Humble's Blog: openssl and certificates

Download the latest openssl source from here (0.9.8k).

1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
1.3.6.1.4.1.311.20.2.3 - UPN (User Principal Name)

Certificate extentions:

.pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, 
       enclosed between "-----BEGIN CERTIFICATE-----" 
       and "-----END CERTIFICATE-----"

.cer, .crt, .der - usually in binary DER form, 
       but Base64-encoded certificates are common too

.p7b, .p7c - PKCS#7 SignedData structure without data, 
       just certificate(s) or CRL(s)

.p12 - PKCS#12, may contain certificate(s) (public)
       and private keys (password protected) 
       (Personnal Information Exchange)

Generate CA key and Certificate:

openssl genrsa -out ca.key 1024

openssl req -new -x509 -days 365 \
-subj '/C=IN/ST=KA/L=BL/O=Nortel/OU=Eng/CN=localhost ca' \
-key ca.key -out ca.crt

Generate server key and certificate:

openssl genrsa -out server.key 1024

openssl req -new \
-subj '/C=IN/ST=KA/L=BL/O=Nortel/OU=Eng/CN=localhost' \
-key server.key -out server.csr

cat > server.cnf << EOF
[dir_sect]
keyUsage=digitalSignature,keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:humble@yahoo.com
EOF

openssl x509 -req -days 365 -in server.csr \
-CA ca.crt -CAkey ca.key \
-extfile server.cnf -extensions dir_sect -set_serial 01 -out server.crt

Verify and show the server generated certificate:

# openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
# openssl req -in server.csr -noout -verify -key server.key
# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IN, ST=KA, L=BL, O=Nortel, OU=Eng, CN=localhost ca
        Validity
            Not Before: Jul 27 09:23:44 2010 GMT
            Not After : Jul 27 09:23:44 2011 GMT
        Subject: C=IN, ST=KA, L=BL, O=Nortel, OU=Eng, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d3:d4:a6:31:55:20:94:38:a8:72:16:eb:b8:2a:
                    9a:7c:07:98:36:63:7c:3c:f7:ad:ff:ad:27:4b:9b:
                    38:85:92:e5:44:07:12:1e:e3:b7:e9:09:d2:67:01:
                    71:51:50:fc:a7:7f:ec:72:2c:30:f4:24:0b:68:fa:
                    c4:7e:56:7b:70:dd:c4:50:7a:8c:51:d5:7f:46:a1:
                    02:7f:76:d8:6f:2c:79:48:57:9b:6f:fa:06:2d:dd:
                    5c:e6:f0:74:57:0a:85:85:39:a0:ce:36:64:2a:b1:
                    7b:1e:26:aa:df:c5:8f:93:6b:e6:02:cb:8d:f8:44:
                    89:37:58:31:cd:83:68:3a:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                CF:36:42:69:6D:85:D4:D6:22:F8:6F:45:DD:EC:74:...
            X509v3 Authority Key Identifier:
                keyid:55:B0:22:DC:4F:4C:21:AA:69:EA:47:31:A2:...

            X509v3 Subject Alternative Name:
                othername:
    Signature Algorithm: sha1WithRSAEncryption
        de:ff:04:5c:82:e5:74:3c:75:d0:80:21:c7:5b:74:21:91:5b:
        07:cb:5a:9e:6d:46:ae:5d:1d:69:26:5a:44:ec:b5:ad:25:72:
        a5:5d:f1:e9:b5:45:14:2c:98:b6:40:5f:b8:e8:92:ba:a5:0c:
        34:86:0e:20:51:25:64:6a:f7:cf:33:ec:50:f8:eb:9f:59:de:
        99:b5:c1:75:cd:d2:ff:00:c0:ed:b2:30:44:f2:1e:13:75:dd:
        21:da:f7:7f:bd:3c:60:7a:f6:66:44:c1:c9:b4:b6:75:ac:59:
        07:c3:e5:06:eb:97:b2:64:0c:f2:2c:2c:39:b1:35:a6:19:b6:
        a6:50

The certificate "server.crt" in windows:

Reference:
make-certs.sh
http://www.madboa.com/geek/openssl
http://en.wikipedia.org/wiki/X.509

Humble's Blog

05 August 2009

openssl and certificates

1 comment: