Not so long ago I started to use OpenSSL to manage my certificates and keys (like generating CSRs, backing up keypairs in pcks12 format, etc.). So I decided to document some of the most used commands. I use openSSL in a Cygwin environment. Installing Cygwin is easy, so that couldn’t be the problem. When you start setup.exe, you have to add the openSSL and openSSH components (or more if you want!). These can be found under the NET category.
building a CA server
It is possible that you want to build your own CA server. I use the CA.pl script for this, which is delivered with openSSL. This can be done as follows;
Create a CA hierarchy:
$ CA.pl -newca
Complete certificate creation example: create a CA, create a request, sign the request and finally create a PKCS#12 file containing it.
$ CA.pl -newca
$ CA.pl -newreq
$ CA.pl -signreq
$ CA.pl -pkcs12 "My Test Certificate"
Signing a CSR
When you want to sign a CSR by your own CA, you can use CA.pl;
$ ./CA.pl -signreq Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:8a:c4:84:3e:62:7d:2c
Validity
Not Before: Nov 5 21:03:00 2008 GMT
Not After : Nov 5 21:03:00 2009 GMT
Subject:
countryName = NL
stateOrProvinceName = MyState
localityName = MyLocality
organizationName = MyCompany
organizationalUnitName = IT dept.
commonName = MyCert
emailAddress = user@mydomain.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
11:81:37:E5:0C:06:3C:FA:49:48:BE:A9:43:DC:63:42:62:E2:F3:3F
X509v3 Authority Key Identifier:
keyid:42:5B:D0:9B:7A:6C:20:A2:5D:41:54:56:2B:55:50:41:71:61:37:B0
Certificate is to be certified until Nov 5 21:03:00 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
create a PKCS#12 file containing the user certificate, private key and CA certificate. It expects the user certificate and private key to be in the file “newcert.pem” and the CA certificate to be in the file demoCA/cacert.pem, it creates a file “newcert.p12”. This command can thus be called after the -sign option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the “friendly name” for the certificate (which is typically displayed in the browser list box), otherwise the name “My Certificate” is used.
$ ./CA.pl -pkcs12
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying – Enter Export Password:
PKCS #12 file is in newcert.p12
You can do this all more manual style with the openssl command. Here are some variants of this command;
With this variant, you will be prompted for a protecting password. Ifyou don’t want your key to be protected by a password, remove the flag ‘-des3′ from the command line above.
If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. Your key most definitely is if you have followed the examples above. However, some certificate authorities will encode them with things like PKCS7 or PKCS12, or something else. Depending on your applications, this may be perfectly OK, it all depends on what they know how to decode. If not, There are a number of OpenSSL tools to convert between some formats.
So, depending on your application, you may have to convert your certificate and your key to various formats, most often also putting them together into one file. I often use the pkcs12 format. PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx. To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.