API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 21st, 2017
598
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.75 KB | None | 0 0
raw download clone embed print report
  1. 1. Using the x509 module
  2. openssl x509 ...
  3. ...
  4.  
  5. 2 Using the ca module
  6. openssl ca ...
  7. ...
  8.  
  9. $ touch openssl-ca.cnf
  10.  
  11. HOME = .
  12. RANDFILE = $ENV::HOME/.rnd
  13.  
  14. ####################################################################
  15. [ ca ]
  16. default_ca = CA_default # The default ca section
  17.  
  18. [ CA_default ]
  19.  
  20. default_days = 1000 # how long to certify for
  21. default_crl_days= 30 # how long before next CRL
  22. default_md = sha256 # use public key default MD
  23. preserve = no # keep passed DN ordering
  24.  
  25. x509_extensions = ca_extensions # The extensions to add to the cert
  26.  
  27. email_in_dn = no # Don't concat the email in the DN
  28. copy_extensions = copy # Required to copy SANs from CSR to cert
  29.  
  30. ####################################################################
  31. [ req ]
  32. default_bits = 4096
  33. default_keyfile = cakey.pem
  34. distinguished_name = ca_distinguished_name
  35. x509_extensions = ca_extensions
  36. string_mask = utf8only
  37.  
  38. ####################################################################
  39. [ ca_distinguished_name ]
  40. countryName = Country Name (2 letter code)
  41. countryName_default = US
  42.  
  43. stateOrProvinceName = State or Province Name (full name)
  44. stateOrProvinceName_default = Maryland
  45.  
  46. localityName = Locality Name (eg, city)
  47. localityName_default = Baltimore
  48.  
  49. organizationName = Organization Name (eg, company)
  50. organizationName_default = Test CA, Limited
  51.  
  52. organizationalUnitName = Organizational Unit (eg, division)
  53. organizationalUnitName_default = Server Research Department
  54.  
  55. commonName = Common Name (e.g. server FQDN or YOUR name)
  56. commonName_default = Test CA
  57.  
  58. emailAddress = Email Address
  59. emailAddress_default = test@example.com
  60.  
  61. ####################################################################
  62. [ ca_extensions ]
  63.  
  64. subjectKeyIdentifier=hash
  65. authorityKeyIdentifier=keyid:always, issuer
  66. basicConstraints = critical, CA:true
  67. keyUsage = keyCertSign, cRLSign
  68.  
  69. $ openssl req -x509 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -nodes -out cacert.pem -outform PEM
  70.  
  71. $ openssl x509 -in cacert.pem -text -noout
  72. Certificate:
  73. Data:
  74. Version: 3 (0x2)
  75. Serial Number: 11485830970703032316 (0x9f65de69ceef2ffc)
  76. Signature Algorithm: sha256WithRSAEncryption
  77. Issuer: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
  78. Validity
  79. Not Before: Jan 24 14:24:11 2014 GMT
  80. Not After : Feb 23 14:24:11 2014 GMT
  81. Subject: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
  82. Subject Public Key Info:
  83. Public Key Algorithm: rsaEncryption
  84. Public-Key: (4096 bit)
  85. Modulus:
  86. 00:b1:7f:29:be:78:02:b8:56:54:2d:2c:ec:ff:6d:
  87. ...
  88. 39:f9:1e:52:cb:8e:bf:8b:9e:a6:93:e1:22:09:8b:
  89. 59:05:9f
  90. Exponent: 65537 (0x10001)
  91. X509v3 extensions:
  92. X509v3 Subject Key Identifier:
  93. 4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
  94. X509v3 Authority Key Identifier:
  95. keyid:4A:9A:F3:10:9E:D7:CF:54:79:DE:46:75:7A:B0:D0:C1:0F:CF:C1:8A
  96.  
  97. X509v3 Basic Constraints: critical
  98. CA:TRUE
  99. X509v3 Key Usage:
  100. Certificate Sign, CRL Sign
  101. Signature Algorithm: sha256WithRSAEncryption
  102. 4a:6f:1f:ac:fd:fb:1e:a4:6d:08:eb:f5:af:f6:1e:48:a5:c7:
  103. ...
  104. cd:c6:ac:30:f9:15:83:41:c1:d1:20:fa:85:e7:4f:35:8f:b5:
  105. 38:ff:fd:55:68:2c:3e:37
  106.  
  107. $ openssl x509 -purpose -in cacert.pem -inform PEM
  108. Certificate purposes:
  109. SSL client : No
  110. SSL client CA : Yes
  111. SSL server : No
  112. SSL server CA : Yes
  113. Netscape SSL server : No
  114. Netscape SSL server CA : Yes
  115. S/MIME signing : No
  116. S/MIME signing CA : Yes
  117. S/MIME encryption : No
  118. S/MIME encryption CA : Yes
  119. CRL signing : Yes
  120. CRL signing CA : Yes
  121. Any Purpose : Yes
  122. Any Purpose CA : Yes
  123. OCSP helper : Yes
  124. OCSP helper CA : Yes
  125. Time Stamp signing : No
  126. Time Stamp signing CA : Yes
  127. -----BEGIN CERTIFICATE-----
  128. MIIFpTCCA42gAwIBAgIJAJ9l3mnO7y/8MA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV
  129. ...
  130. aQUtFrV4hpmJUaQZ7ySr/RjCb4KYkQpTkOtKJOU1Ic3GrDD5FYNBwdEg+oXnTzWP
  131. tTj//VVoLD43
  132. -----END CERTIFICATE-----
  133.  
  134. $ touch openssl-server.cnf
  135.  
  136. HOME = .
  137. RANDFILE = $ENV::HOME/.rnd
  138.  
  139. ####################################################################
  140. [ req ]
  141. default_bits = 2048
  142. default_keyfile = serverkey.pem
  143. distinguished_name = server_distinguished_name
  144. req_extensions = server_req_extensions
  145. string_mask = utf8only
  146.  
  147. ####################################################################
  148. [ server_distinguished_name ]
  149. countryName = Country Name (2 letter code)
  150. countryName_default = US
  151.  
  152. stateOrProvinceName = State or Province Name (full name)
  153. stateOrProvinceName_default = MD
  154.  
  155. localityName = Locality Name (eg, city)
  156. localityName_default = Baltimore
  157.  
  158. organizationName = Organization Name (eg, company)
  159. organizationName_default = Test CA, Limited
  160.  
  161. commonName = Common Name (e.g. server FQDN or YOUR name)
  162. commonName_default = Test CA
  163.  
  164. emailAddress = Email Address
  165. emailAddress_default = test@example.com
  166.  
  167. ####################################################################
  168. [ server_req_extensions ]
  169.  
  170. subjectKeyIdentifier = hash
  171. basicConstraints = CA:FALSE
  172. keyUsage = digitalSignature, keyEncipherment
  173. subjectAltName = @alternate_names
  174. nsComment = "OpenSSL Generated Certificate"
  175.  
  176. ####################################################################
  177. [ alternate_names ]
  178.  
  179. DNS.1 = example.com
  180. DNS.2 = www.example.com
  181. DNS.3 = mail.example.com
  182. DNS.4 = ftp.example.com
  183.  
  184. $ openssl req -config openssl-server.cnf -newkey rsa:2048 -sha256 -nodes -out servercert.csr -outform PEM
  185.  
  186. $ openssl req -text -noout -verify -in servercert.csr
  187. Certificate:
  188. verify OK
  189. Certificate Request:
  190. Version: 0 (0x0)
  191. Subject: C=US, ST=MD, L=Baltimore, CN=Test Server/emailAddress=test@example.com
  192. Subject Public Key Info:
  193. Public Key Algorithm: rsaEncryption
  194. Public-Key: (2048 bit)
  195. Modulus:
  196. 00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d:
  197. ...
  198. f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51:
  199. 86:e1
  200. Exponent: 65537 (0x10001)
  201. Attributes:
  202. Requested Extensions:
  203. X509v3 Subject Key Identifier:
  204. 1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61
  205. X509v3 Basic Constraints:
  206. CA:FALSE
  207. X509v3 Key Usage:
  208. Digital Signature, Key Encipherment
  209. X509v3 Subject Alternative Name:
  210. DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
  211. Netscape Comment:
  212. OpenSSL Generated Certificate
  213. Signature Algorithm: sha256WithRSAEncryption
  214. 6d:e8:d3:85:b3:88:d4:1a:80:9e:67:0d:37:46:db:4d:9a:81:
  215. ...
  216. 76:6a:22:0a:41:45:1f:e2:d6:e4:8f:a1:ca:de:e5:69:98:88:
  217. a9:63:d0:a7
  218.  
  219. ####################################################################
  220. [ signing_policy ]
  221. countryName = optional
  222. stateOrProvinceName = optional
  223. localityName = optional
  224. organizationName = optional
  225. organizationalUnitName = optional
  226. commonName = supplied
  227. emailAddress = optional
  228.  
  229. ####################################################################
  230. [ signing_req ]
  231. subjectKeyIdentifier=hash
  232. authorityKeyIdentifier=keyid,issuer
  233.  
  234. basicConstraints = CA:FALSE
  235. keyUsage = digitalSignature, keyEncipherment
  236.  
  237. base_dir = .
  238. certificate = $base_dir/cacert.pem # The CA certifcate
  239. private_key = $base_dir/cakey.pem # The CA private key
  240. new_certs_dir = $base_dir # Location for new certs after signing
  241. database = $base_dir/index.txt # Database index file
  242. serial = $base_dir/serial.txt # The current serial number
  243.  
  244. unique_subject = no # Set to 'no' to allow creation of
  245. # several certificates with same subject.
  246.  
  247. $ touch index.txt
  248. $ echo '01' > serial.txt
  249.  
  250. $ openssl ca -config openssl-ca.cnf -policy signing_policy -extensions signing_req -out servercert.pem -infiles servercert.csr
  251.  
  252. Using configuration from openssl-ca.cnf
  253. Check that the request matches the signature
  254. Signature ok
  255. The Subject's Distinguished Name is as follows
  256. countryName :PRINTABLE:'US'
  257. stateOrProvinceName :ASN.1 12:'MD'
  258. localityName :ASN.1 12:'Baltimore'
  259. commonName :ASN.1 12:'Test CA'
  260. emailAddress :IA5STRING:'test@example.com'
  261. Certificate is to be certified until Oct 20 16:12:39 2016 GMT (1000 days)
  262. Sign the certificate? [y/n]:Y
  263.  
  264. 1 out of 1 certificate requests certified, commit? [y/n]Y
  265. Write out database with 1 new entries
  266. Data Base Updated
  267.  
  268. $ openssl x509 -in servercert.pem -text -noout
  269. Certificate:
  270. Data:
  271. Version: 3 (0x2)
  272. Serial Number: 9 (0x9)
  273. Signature Algorithm: sha256WithRSAEncryption
  274. Issuer: C=US, ST=MD, L=Baltimore, CN=Test CA/emailAddress=test@example.com
  275. Validity
  276. Not Before: Jan 24 19:07:36 2014 GMT
  277. Not After : Oct 20 19:07:36 2016 GMT
  278. Subject: C=US, ST=MD, L=Baltimore, CN=Test Server
  279. Subject Public Key Info:
  280. Public Key Algorithm: rsaEncryption
  281. Public-Key: (2048 bit)
  282. Modulus:
  283. 00:ce:3d:58:7f:a0:59:92:aa:7c:a0:82:dc:c9:6d:
  284. ...
  285. f9:5e:0c:ba:84:eb:27:0d:d9:e7:22:5d:fe:e5:51:
  286. 86:e1
  287. Exponent: 65537 (0x10001)
  288. X509v3 extensions:
  289. X509v3 Subject Key Identifier:
  290. 1F:09:EF:79:9A:73:36:C1:80:52:60:2D:03:53:C7:B6:BD:63:3B:61
  291. X509v3 Authority Key Identifier:
  292. keyid:42:15:F2:CA:9C:B1:BB:F5:4C:2C:66:27:DA:6D:2E:5F:BA:0F:C5:9E
  293.  
  294. X509v3 Basic Constraints:
  295. CA:FALSE
  296. X509v3 Key Usage:
  297. Digital Signature, Key Encipherment
  298. X509v3 Subject Alternative Name:
  299. DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com
  300. Netscape Comment:
  301. OpenSSL Generated Certificate
  302. Signature Algorithm: sha256WithRSAEncryption
  303. b1:40:f6:34:f4:38:c8:57:d4:b6:08:f7:e2:71:12:6b:0e:4a:
  304. ...
  305. 45:71:06:a9:86:b6:0f:6d:8d:e1:c5:97:8d:fd:59:43:e9:3c:
  306. 56:a5:eb:c8:7e:9f:6b:7a
  307.  
  308. unique_subject = yes # Set to 'no' to allow creation of
  309. # several ctificates with same subject.
  310.  
  311. Sign the certificate? [y/n]:Y
  312. failed to update database
  313. TXT_DB error number 2
  314.  
  315. [ policy_match ]
  316. organizationName = match
  317.  
  318. [ policy_match ]
  319. organizationName = supplied
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!