Openssl Operations: Difference between revisions
| Line 3: | Line 3: | ||
=Internal= | =Internal= | ||
* [[openssl]] | |||
* [[Public Key Security#Overview|Public Key Security]] | * [[Public Key Security#Overview|Public Key Security]] | ||
=Generate a Public/Private Key Pair= | =Generate a Public/Private Key Pair= | ||
Revision as of 06:45, 8 April 2018
External
Internal
Generate a Public/Private Key Pair
Generate an RSA Private Key
This is the procedure to generate a public/private key pair. The keys can be further used in the procedure to generate digitally signed certificates, or even to configure ssh, though ssh has its own procedure to generate key pairs, which produces equivalent keys in the same PEM format.
openssl genrsa|gendsa -out <keyfile-name>.pem <key-lenght>
openssl genrsa -out test-pvtkey.pem 2048
The command generates a RSA or DSA key of specified length in PEM format.
For more general considerations on private keys, see:
Extract the Matching Public RSA Key from a Private Key
The matching public key can be always extracted from the private key.
openssl rsa -pubout -in ./test-pvtkey.pem -out ./test-pubkey.pem
Note that the private key is protected by a password, the tool will require password at stdin.
Generate a DSA Private Key
DSA key generation is a two-step process: the DSA parameters are created in the first step, and the key in the second:
openssl dsaparam -genkey 2048 | openssl dsa -out test-pvtkey.pem -aes128
Inspect a Private Key
openssl rsa -text -in test-pvtkey.pem
The output provides, between others, the length of the key.
Key Format Conversions
PKCS#12 to PEM
The following command will convert PKCS#12 keys to PEM.
openssl pkcs12 -in ./test-pvtkey.p12 -out ./test-pvtkey.pem
Generate a Self-Signed Certificate
Create a Certificate Signing Request (CSR)
This procedure generates a Certificate Signing Request (CSR) that should be sent to the certificate authority for signature. This step is part of the procedure to generate digitally signed certificates. The CSR command (openssl req) may use an existing private key, previously generated with openssl genrsa, or it can create a new private key.
To use the existing private key:
openssl req -key ./test-pk.pem -out ./test-csr.pem -new
The new CSR will be generated in PEM format as ./test-csr.pem.
To create a new private key at the time of creation of the certificate signing request, use the following command. Note that the command will ask interactively for a private key password. The password can be provided in-line with the -passin option.
openssl req -keyout ./test-pk.pem -out ./test-csr.pem -new
The new CSR will be generated in PEM format as ./test-csr.pem and a new private key will be written, also in PEM format as ./test-pk.pem.
Inspect a Certificate Signing Request (CSR)
openssl req -in ./test-csr.pem -noout -text
Generate the Digitally-Signed Certificate
The CSR submitted by the user will be used to generate a digitally-signed certificate. The Certificate Authority's private key will be used to sign the certificate. This operation can be used to generate a self-signed certificate, as part of the procedure to generate digitally signed certificates.
openssl x509 -req -days 365 -in ./test-csr.pem -signkey ./ca-private-key.pem -out ./test-certificate.pem
Inspect the Certificate
Certificates can be displayed with the following command:
openssl x509 -noout -text -in ./test-certificate.pem
Obtain a Server Certificate
openssl s_client -connect nexus-cicd.apps.openshift.novaordis.io:443
The response includes the server's certificate:
[...] Certificate chain 0 s:/CN=*.apps.openshift.novaordis.io [...] --- Server certificate -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIBEjANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu [...] 65vqsz8NTtde1vJ5qW31Af0pO9YehiSRfA== -----END CERTIFICATE----- subject=/CN=*.apps.openshift.novaordis.io [...]