|
Create PKCS#12 bundle |
|
Subject: Create PKCS#12 bundle
Author: authen
In response to: Create a server certificate
Posted on: 09/12/2015 01:13:19 AM
PKCS#12 store is used to bundle a certificate and its private key, which is required for certificate-based authentication where client has to provide his/her certificate (with only public key inside) and to sign a proof of possession of the certificate via his/her private key.
Note: From the mutual authentication traffic, the proof of possession can be identified by *** CertificateVerify + encrypted token (which can be only decrypted by the corresponding public key inside the passed certificate)
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\users\joe-private-key.pem
-in myCA\users\joe_email.pem -out myCA\users\joe_email.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\users\joe-private-key.pem:passphrase
Enter Export Password:passphrase
Verifying - Enter Export Password:passphrase
View the PKCS#12 store
C:\OpenSSL64>openssl pkcs12 -in myCA\users\joe_email.p12 -nodes -info
Enter Import Password:passphrase
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
subject=/DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
IFNpZ25pbmcgQ0EwHhcNMTUwOTEwMTg1MjUzWhcNMTcwOTA5MTg1MjUzWjA/MT0w
OwYKCZImiZPyLGQBGRYtREM9b3JnLCBEQz1zaW1wbGUsIE89U2ltcGxlIEluYywg
Q049Sm9lIFNtaXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyJb
wSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0KqP0hUHReaens3QLTPiZ
c4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3ePJUE81quNY6zv8fhBUYj4
yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasqPIZvTzGNePWdiQwyucMK
wKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4VoZzVOSZp9taeb+I0SWOc3
u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf7ffkisCyRw3FlIN17a4y
M5x2Y7y76ncctVEFaQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUjGLn
zhIZZLKtOvl0YKq4PnpCRKowHwYDVR0jBBgwFoAUpuK6lHc7YuhWjM2jr1/J/Sla
OrUwGQYDVR0RBBIwEIEOam9lQHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEB
AMtLuHqmeD3ygrnVP7N8DTZGyupPRWaiSiV/cAP76kHVhqPLIINR9G5DMTu0V36T
RTW354LN13IHDg/GxmwJQHu5fDQQOwUxB1i3lFGQESuMVe9+ojZez4fdGnAooRAh
TZA3ITQyYoeuCc6HXN1f6mDehWk0qJLy7uvAzUzzQbAxvASKcNIbk6KmHxqdruyZ
WkXbDlJY7A1/VlMLSPh35DAxLDzCf1M6uKbxVtXpyOA4+QGKym7KYBwthCUmQc1i
NZnDlTRBEUD7j2e7yn3Hp2Ars4Y+m5k2KrAVU2U8rOKeAG5ftFadAnbAQFNICrKu
J1GZH0/8qaYUlyfNStYNO20=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwyJbwSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0
KqP0hUHReaens3QLTPiZc4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3eP
JUE81quNY6zv8fhBUYj4yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasq
PIZvTzGNePWdiQwyucMKwKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4Vo
ZzVOSZp9taeb+I0SWOc3u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf
7ffkisCyRw3FlIN17a4yM5x2Y7y76ncctVEFaQIDAQABAoIBAQCOdPXxcInBASGh
BPY59egpcnmPzMcXSCnRfFQfOGiQYmE80RxWCO5Jnrx0CS7INw7M+azlivZv6vLH
JAE5y+lrleT0YdAohIrZz96eUB28BU0qX0WU2CS3P/Tv8OAXkbr18H5X0fp3cL3J
ZueYvZKr/fP/AKghul0fOHpwvsLlAY2CBT1XFj55yKs2yb6tYiy65embZB8Lomfm
aR8F3BPVCIXqR0Ws6tzoCsvmwKAaOxhbqYF6LvykbsgLSHu9Z0fM+FGS4lyQRGvF
cMPLWzOWiOUXnvFY295CaDvLbGn0EsHHtOBJqM9udAdUpQjZwjTWfb76rlU8XRZZ
ZdzkKEMlAoGBAOssRb69oKbMiq51naWVpOEYh8IfbFuolWY14e8yOvR+Xyn9gdEc
F87gIOw/DDEotgPJF+VwbWE+++B5gey+Z1xzhOb639LOEPyYt1uUe2r0JZebrLRr
cm1PBV9Laoxkq3TDx7/Krhul3SSgslMChP4NmnxwoMnQo3vMQFuYx6BHAoGBANRq
WOXFfuuKaNHzJGb4TjfyTPQ+ZIdGYm7RZXEP5hwXymflDxrM+btHsWItuM66lsG/
aNAgdxAmYxHucrpRzr72xzr8Z96EQjk4kEufm32evb7tB8SwQpfdhWNVhNwfUvye
3nynA6+W8wzCvYFrWgI46ljmRikRo4yblpkp6DTPAoGAdZLrx6HMeLfYOcKJr2gy
R2tZLB9DsEuHbdNQgqLNQMERWM/qIB54dLAvJY2bzdP5s8jMzqO3u5+ek6qL302O
JXWHo2cXka/+ZBsByKJiVaV8SeDFpmn1ilqwZ+UvfsMxyS28ZtGw3Be/iPliTgf7
b3xjmQVCDcPmiBUks+adHy8CgYAsTnp4gvd0Xgx7LoI7UDPQi6Ptlk4VwWKqxtan
/K780SGRBkBeUL8Oh2fCmNLhnB3yD+Dm+L6dCcTEar5XitTbFFJ+RUPNMD03/kpq
28HtM///MEBlraW245E/eVZfX2fkfQimXsFXq90gyWRhTrsiyUSG+a1qFV1UI9Do
FV6wFQKBgQCHVQesGGECYUAcxQfRL4OgvjRHHdCzECcuCBqQiGzc99S4QM3/npQF
y9N3cVExO7/5IdnH1m4orRS6ysBpI4c36Uu3IkdRJNOLC6FpdOW8eQtlzHhn2OQg
DvtGGAsIrK2xcSAhD8Mde8P7elmc6lGnEXLL8ShKmYKtj3ViUY42xQ==
-----END RSA PRIVATE KEY-----
It shows public key and private key as well. Note: Keep in mind that this PKCS#12 store does not have the intermediate singing CA inside. In order for the PKI validation to work, the peer has to have the Singing CA and Root CA both loaded into its trust store.
>
> On 09/12/2015 12:49:45 AM authen wrote:
Step 1. Create the server's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\servers\ldap-server-private-key.
pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..+++
..............+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
Step 2. Generate the server's certificate request
C:\OpenSSL64>openssl req -new -key myCA\servers\ldap-server-private-key.pem
-out myCA\servers\ldap-server.csr -config myCA\servers\server.conf
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc
2. Domain Component (eg, company) []:
3. Domain Component (eg, pki) []:
4. Organization Name (eg, company) []:
5. Organizational Unit Name (eg, section) []:
6. Common Name (eg, FQDN) []:CN=ldap-server
Step 3. Use your signing CA's private key to sign the server's certificate
C:\OpenSSL64>openssl ca -in myCA\servers\ldap-server.csr
-out myCA\servers\ldap-server.pem -keyfile myCA\interCA\ca-private-key.pem
-cert myCA\interCA\certnew.pem -policy any_pol
-config myCA\interCA\interca.conf -extensions server_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 10 19:28:19 2015 GMT
Not After : Sep 9 19:28:19 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc
commonName = CN=ldap-server
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
5E:B4:48:67:48:D3:36:63:45:D7:2E:74:BF:66:45:CC:73:78:7A:51
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
Certificate is to be certified until Sep 9 19:28:19 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
References:
|
|
|
|