| Author |
Topic: SSL/TLS Certificate Authority via OpenSSL Win64 |
|
authen
member
offline  |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
 |
|
|
| SSL/TLS Certificate Authority via OpenSSL Win64 |
OpenSSL for Windows 64-bits download:
Download:
Go to http://www.indyproject.org/Sockets/fpc/OpenSSLforWin64.en.aspx
Click on AMD64-Win64OpenSSL-0_9_8g.zip
Extract files from the zip
|
|
|
|
|
|
|
authen
member
offline  |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Preparations |
Follow this examples:
http://pki-tutorial.readthedocs.org/en/latest/simple/
Download the following configuration files
rootCA.conf -- used for Root CA req and ca[b/]
interCA.conf -- used for Signing CA req and ca[b/]
email.conf -- used for user's certificate req
server.conf -- used for server's certificate req
The windows version of the above files used in this thread are as follows:
rootCA.conf
# Simple Root CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = rootCA # CA name
dir = . # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "simple"
organizationName = "Simple Inc"
organizationalUnitName = "Simple Root CA"
commonName = "Simple Root CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ ca ]
default_ca = root_ca # The default CA section
[ root_ca ]
certificate = $dir/myCA/$ca.crt # The CA cert
private_key = $dir/myCA/$ca/$ca.key # CA private key
new_certs_dir = $dir/myCA/$ca # Certificate archive
serial = $dir/myCA/$ca/$ca.srl # Serial number file
crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file
database = $dir/myCA/$ca/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 3652 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = none # Copy extensions from CSR
x509_extensions = signing_ca_ext # Default cert extensions
default_crl_days = 365 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.
[ match_pol ]
domainComponent = match # Must match 'simple.org'
organizationName = match # Must match 'Simple Inc'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
[ any_pol ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
[ root_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ signing_ca_ext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
interCA.conf
# Simple Signing CA
# The [default] section contains global constants that can be referred to from
# the entire configuration file. It may also hold settings pertaining to more
# than one openssl command.
[ default ]
ca = interCA # CA name
dir = . # Top dir
# The next part of the configuration file is used by the openssl req command.
# It defines the CA's key pair, its DN, and the desired extensions for the CA
# certificate.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = no # Don't prompt for DN
distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
0.domainComponent = "org"
1.domainComponent = "simple"
organizationName = "Simple Inc"
organizationalUnitName = "Simple Signing CA"
commonName = "Simple Signing CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
basicConstraints = critical,CA:true,pathlen:0
subjectKeyIdentifier = hash
# The remainder of the configuration file is used by the openssl ca command.
# The CA section defines the locations of CA assets, as well as the policies
# applying to the CA.
[ ca ]
default_ca = signing_ca # The default CA section
[ signing_ca ]
certificate = $dir/myCA/$ca.crt # The CA cert
private_key = $dir/myCA/$ca/$ca.key # CA private key
new_certs_dir = $dir/myCA/$ca # Certificate archive
serial = $dir/myCA/$ca/$ca.srl # Serial number file
crlnumber = $dir/myCA/$ca/$ca.crl # CRL number file
database = $dir/myCA/$ca/$ca.db # Index file
unique_subject = no # Require unique subject
default_days = 730 # How long to certify for
default_md = sha1 # MD to use
policy = match_pol # Default naming policy
email_in_dn = no # Add email to cert DN
preserve = no # Keep passed DN ordering
name_opt = ca_default # Subject DN display options
cert_opt = ca_default # Certificate display options
copy_extensions = copy # Copy extensions from CSR
x509_extensions = email_ext # Default cert extensions
default_crl_days = 7 # How long before next CRL
crl_extensions = crl_ext # CRL extensions
# Naming policies control which parts of a DN end up in the certificate and
# under what circumstances certification should be denied.
[ match_pol ]
domainComponent = match # Must match 'simple.org'
organizationName = match # Must match 'Simple Inc'
organizationalUnitName = optional # Included if present
commonName = supplied # Must be present
[ any_pol ]
domainComponent = optional
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
# Certificate extensions define what types of certificates the CA is able to
# create.
[ email_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = emailProtection,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[ server_ext ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
# CRL extensions exist solely to point to the CA certificate that has issued
# the CRL.
[ crl_ext ]
authorityKeyIdentifier = keyid:always
email.conf
# Email certificate request
# This file is used by the openssl req command. Since we cannot know the DN in
# advance the user is prompted for DN information.
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = email_dn # DN template
req_extensions = email_reqext # Desired extensions
[ email_dn ]
0.domainComponent = "1. Domain Component (eg, com) "
1.domainComponent = "2. Domain Component (eg, company) "
2.domainComponent = "3. Domain Component (eg, pki) "
organizationName = "4. Organization Name (eg, company) "
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
commonName = "6. Common Name (eg, full name)"
commonName_max = 64
emailAddress = "7. Email Address (eg, name@fqdn)"
emailAddress_max = 40
[ email_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = emailProtection,clientAuth
subjectKeyIdentifier = hash
subjectAltName = email:move
server.conf
# TLS server certificate request
# This file is used by the openssl req command. The subjectAltName cannot be
# prompted for and must be specified in the SAN environment variable.
[ default ]
SAN = DNS:yourdomain.tld # Default value
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = server_dn # DN template
req_extensions = server_reqext # Desired extensions
[ server_dn ]
0.domainComponent = "1. Domain Component (eg, com) "
1.domainComponent = "2. Domain Component (eg, company) "
2.domainComponent = "3. Domain Component (eg, pki) "
organizationName = "4. Organization Name (eg, company) "
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
commonName = "6. Common Name (eg, FQDN) "
commonName_max = 64
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
#subjectAltName = $ENV::SAN
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create Your Own Root CA (Certificate Authority) |
Step 1. Create your CA's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\rootCA\ca-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
The private key is in 2048 bits and placed in file 'cakey.pem' which is encrypted in des3 with your input passphrase. Keep this file in a safe place like a floppy disk. Here is what the key looks like:
Step 2. Generate your CA's certificate (public key)
C:\OpenSSL64>openssl req -new -x509 -key myCA\rootCA\ca-private-key.pem
-out myCA\rootCA\cacert.pem -days 3650
-config myCA\rootCA\rootca.conf -extensions root_ca_ext
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Step 3. Sign your CA's certificate
Notice that a root CA's certificate is always a self-signed certificate. This step can be skipped.
Step 4. Trim your CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -out myCA\rootCA\cacert.cer
Step 5. View your CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\rootCA\cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:c6:84:81:c3:dc:ca:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Ro
ot CA
Validity
Not Before: Sep 10 01:59:57 2015 GMT
Not After : Sep 7 01:59:57 2025 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple R
oot CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bf:36:30:df:e6:cf:ac:06:b3:eb:f4:b7:15:f1:
f2:4f:cb:4e:3e:3c:1f:f6:09:4b:31:b4:c4:32:12:
a2:2e:98:38:36:4e:e9:06:99:38:2e:ff:14:a4:fb:
7e:d9:e8:ee:be:6b:a8:83:fd:57:6a:55:b0:66:5f:
28:a7:63:ec:7b:b3:fa:37:f6:3d:06:af:9a:86:24:
ca:0e:f8:d3:eb:a6:5f:d4:74:4c:fd:4f:c4:7e:4c:
a9:ee:8f:65:33:fc:86:73:02:9c:3f:f5:09:c1:54:
4f:4e:3f:cc:83:3b:81:45:04:18:20:23:ec:5e:67:
27:2d:9b:1a:f6:30:59:6b:c5:b4:74:99:35:72:65:
43:86:1b:e5:7f:41:f5:46:e1:51:61:c8:86:b4:af:
64:79:70:12:9c:0a:e2:9a:27:c7:f6:af:0c:76:1a:
93:91:43:50:12:4a:b8:a4:2e:cf:e7:99:1f:7b:db:
ee:ae:0d:92:7e:9b:14:3c:87:80:44:e1:39:b0:db:
8e:74:43:39:eb:0b:b2:f6:24:ef:e3:d5:8e:a5:a7:
c5:b1:aa:17:f3:c1:3b:5a:69:cf:5b:b6:45:dc:1b:
73:6f:21:b2:c2:55:22:5f:a7:c6:55:c1:30:87:f2:
c8:a4:1e:f2:a4:97:eb:b1:a0:d6:53:fd:ca:74:c7:
c6:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8
Signature Algorithm: sha1WithRSAEncryption
26:ba:a0:c6:93:74:d9:c3:1c:21:75:18:0e:5f:ca:74:9f:77:
fe:77:08:ba:69:f5:4b:14:c2:07:94:9f:26:cc:e8:81:ef:b0:
a1:6d:bd:89:51:4a:ca:54:58:38:18:d2:01:03:43:aa:a4:7b:
89:ec:73:30:da:21:41:a5:70:cd:50:f7:a4:2d:bc:ad:94:eb:
98:50:d2:a8:07:50:70:0a:77:d3:af:f1:8e:9e:9c:5d:06:d1:
2a:54:67:cb:e9:d0:9b:ea:67:3a:e4:2c:d3:87:09:c4:0d:a6:
5d:de:27:71:a6:cd:b0:5e:a4:48:62:73:0b:6d:11:38:93:d6:
2b:17:6d:f4:6d:f5:0e:dd:c3:3d:05:20:63:6d:27:6c:db:c6:
47:81:0d:9e:b6:ec:d4:a5:cc:97:a2:31:e0:3f:90:df:b8:40:
98:95:54:94:33:c4:86:e1:c1:38:c0:a5:f3:d9:78:d2:39:15:
24:55:7f:de:d9:19:f5:d8:3c:b0:45:90:91:1f:84:6f:4a:d8:
4c:91:2c:89:81:1a:c1:2e:59:cd:27:77:95:b8:ef:69:51:2f:
d9:68:04:78:c4:3f:b0:cf:0e:77:7a:54:3d:9e:ae:7d:9b:84:
72:7d:02:98:f3:f8:4c:60:eb:57:ba:6c:90:b7:9c:d9:d2:12:
30:bf:e1:cf
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create Your Own Signing CA (Certificate Authority) |
Step 1. Create your signing CA's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\interCA\ca-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.....................................................+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Step 2. Generate your signing CA's certificate request
C:\OpenSSL64>openssl req -new -key myCA\interCA\ca-private-key.pem
-out myCA\interCA\certnew.csr -config myCA\interCA\interca.conf
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Step 3. Use your root CA's private key to sign your signing CA's certificate
C:\OpenSSL64>openssl ca -in myCA\interCA\certnew.csr -out myCA\interCA\certnew.pem
-keyfile myCA\rootCA\ca-private-key.pem -cert myCA\rootCA\cacert.pem -policy
any_pol -config myCA\rootCA\rootca.conf -extensions signing_ca_ext
Using configuration from myCA\rootCA\rootca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\rootCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject:
domainComponent = org
domainComponent = simple
organizationName = Simple Inc
organizationalUnitName = Simple Signing CA
commonName = Simple Signing CA
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B
8
Certificate is to be certified until Sep 9 17:57:01 2025 GMT (3652 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Step 4. Trim your signing CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -out myCA\interCA\certnew.cer
Step 5. View your signing CA's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\certnew.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Root CA, CN=Simple Root CA
Validity
Not Before: Sep 10 17:57:01 2015 GMT
Not After : Sep 9 17:57:01 2025 GMT
Subject: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:db:ad:85:25:cd:22:7a:9e:bf:0c:e9:f8:bf:15:
de:01:98:90:c1:91:b0:ac:1e:82:1f:2c:41:53:09:
71:2f:00:26:00:bc:93:5e:c8:33:76:f7:70:a7:08:
6e:ca:e8:33:47:5c:53:22:a8:83:96:b3:24:2c:d0:
f7:4c:1d:d4:3c:30:ed:a9:3d:55:67:51:dc:42:c6:
ad:10:76:9a:0e:b8:fe:ac:ac:63:5f:48:e2:c0:c6:
15:f0:3c:bc:f7:3b:06:2b:6f:f4:75:5a:aa:7d:c0:
6d:93:06:6d:b2:8b:f3:06:83:ff:21:91:9f:ec:bf:
81:b4:ad:80:54:7c:5e:d1:41:b5:c4:58:3f:dc:8d:
46:b3:85:d9:ec:d7:2b:80:d1:10:ce:c9:62:a1:fe:
8b:99:b9:3f:90:d1:4e:11:95:fa:5d:02:9e:03:f5:
d7:83:76:32:55:dc:a9:c8:18:47:f9:63:13:59:8b:
9e:7a:0b:0b:89:80:3a:3b:a5:87:53:d1:c6:11:fd:
e5:e5:6b:e9:6a:4d:bf:ba:86:ac:01:7b:78:1c:ca:
fa:2d:dd:25:7e:15:11:8f:fd:03:42:48:27:2a:19:
8a:44:3e:c3:97:49:9e:53:26:1f:1a:32:61:cc:b6:
83:bb:2d:9a:ee:88:a2:b1:68:a9:84:68:7f:ec:a8:
a1:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Authority Key Identifier:
keyid:23:51:32:A5:6D:1B:3E:90:7D:3A:8A:09:1E:08:3E:3E:F6:B6:1C:B8
Signature Algorithm: sha1WithRSAEncryption
b9:ec:9f:70:2c:45:72:4e:67:59:9b:f8:13:6a:23:aa:6f:98:
cc:b8:1a:ea:da:2b:3a:36:c6:35:9b:1b:e0:9d:2c:42:d8:36:
54:28:21:1a:de:aa:29:7d:70:c8:0c:f6:7b:83:01:c4:6c:31:
4c:6b:99:7c:75:b4:4f:8d:0c:a9:27:37:4a:32:47:72:12:63:
7e:b0:ef:3d:3c:be:21:d3:62:a0:5f:ff:a6:43:85:08:05:d5:
fc:30:cd:dc:31:df:01:f4:3e:1f:83:7e:e0:b1:16:e5:41:2a:
00:ed:67:ed:a3:f1:26:7d:d0:e0:b3:24:37:de:6e:1e:89:1c:
cb:1e:f8:36:17:58:18:ff:ed:88:bc:29:5e:98:d6:5d:4d:27:
87:33:84:64:d5:4f:3f:7d:8e:d8:f0:7a:fc:21:45:75:9b:21:
03:b2:48:9c:3f:51:14:00:12:b6:1b:f2:af:7e:60:86:88:ea:
fd:7e:83:cf:d1:25:ab:5e:2c:8e:14:0e:67:5a:af:a7:92:da:
c4:db:dd:74:31:f0:e0:20:49:97:f5:79:40:49:bc:bb:cd:15:
e7:80:e7:2d:da:e6:7d:8c:ae:b2:27:91:e3:43:4e:cc:40:12:
65:a6:c3:13:d6:63:b0:5c:e5:7f:8d:0d:07:7a:b5:b3:d8:7b:
03:ac:84:0b
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create a user certificate |
Step 1. Create the user's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\users\joe-private-key.pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.................+++
.........+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
Step 2. Generate the user's certificate request
C:\OpenSSL64>openssl req -new -key myCA\users\joe-private-key.pem
-out myCA\users\joe_email.csr -config myCA\users\email.conf
Enter pass phrase for myCA\users\joe-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc,
CN=Joe Smith
2. Domain Component (eg, company) []:.
3. Domain Component (eg, pki) []:.
4. Organization Name (eg, company) []:.
5. Organizational Unit Name (eg, section) []:.
6. Common Name (eg, full name) []:.
7. Email Address (eg, name@fqdn) []:joe@simple.org
Step 3. Use your signing CA's private key to sign the user's certificate
C:\OpenSSL64>openssl ca -in myCA\users\joe_email.csr -out myCA\users\joe_email.pem
-keyfile myCA\interCA\ca-private-key.pem -cert myCA\interCA\certnew.pem -policy
any_pol -config myCA\interCA\interca.conf -extensions email_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc, CN=Joe
Smith
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
X509v3 Subject Alternative Name:
email:joe@simple.org
Certificate is to be certified until Sep 9 18:52:53 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Step 4. Trim the user's certificate
C:\OpenSSL64>openssl x509 -in myCA\users\joe_email.pem -out myCA\users\joe_email.pem.cer
Step 5. View the user's certificate
C:\OpenSSL64>openssl x509 -in myCA\interCA\joe_email.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=simple, O=Simple Inc, OU=Simple Signing CA, CN=Simple Signing CA
Validity
Not Before: Sep 10 18:52:53 2015 GMT
Not After : Sep 9 18:52:53 2017 GMT
Subject: DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:22:5b:c1:22:05:2d:4c:33:91:eb:70:5c:c7:
c2:a8:3a:04:48:2e:7a:ec:de:19:5c:2a:41:cc:a5:
cd:b8:1d:3e:92:33:b4:2a:a3:f4:85:41:d1:79:a7:
a7:b3:74:0b:4c:f8:99:73:8b:b2:f1:f9:06:ca:57:
c8:ba:24:a5:c2:5e:34:ac:42:fe:17:73:3b:94:b9:
5e:6f:15:26:b6:60:33:1b:77:8f:25:41:3c:d6:ab:
8d:63:ac:ef:f1:f8:41:51:88:f8:c8:a0:d4:88:ab:
f9:a7:aa:44:63:bd:dd:01:32:4f:cd:db:89:4b:1b:
f3:67:06:1d:2a:d9:49:51:76:2a:15:ab:2a:3c:86:
6f:4f:31:8d:78:f5:9d:89:0c:32:b9:c3:0a:c0:a9:
65:5b:d1:68:2b:54:d3:0c:db:e8:0f:c7:40:89:e2:
d5:73:17:25:6b:49:28:bf:b2:35:1a:b3:80:4b:85:
68:67:35:4e:49:9a:7d:b5:a7:9b:f8:8d:12:58:e7:
37:bb:ba:36:d5:59:c9:4d:0e:f6:f4:79:de:24:df:
10:f5:19:0c:60:9d:0a:16:5b:0e:27:f2:c2:7f:db:
39:72:7a:df:ed:f7:e4:8a:c0:b2:47:0d:c5:94:83:
75:ed:ae:32:33:9c:76:63:bc:bb:ea:77:1c:b5:51:
05:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Client Authentication
X509v3 Subject Key Identifier:
8C:62:E7:CE:12:19:64:B2:AD:3A:F9:74:60:AA:B8:3E:7A:42:44:AA
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B5
X509v3 Subject Alternative Name:
email:joe@simple.org
Signature Algorithm: sha1WithRSAEncryption
cb:4b:b8:7a:a6:78:3d:f2:82:b9:d5:3f:b3:7c:0d:36:46:ca:
ea:4f:45:66:a2:4a:25:7f:70:03:fb:ea:41:d5:86:a3:cb:20:
83:51:f4:6e:43:31:3b:b4:57:7e:93:45:35:b7:e7:82:cd:d7:
72:07:0e:0f:c6:c6:6c:09:40:7b:b9:7c:34:10:3b:05:31:07:
58:b7:94:51:90:11:2b:8c:55:ef:7e:a2:36:5e:cf:87:dd:1a:
70:28:a1:10:21:4d:90:37:21:34:32:62:87:ae:09:ce:87:5c:
dd:5f:ea:60:de:85:69:34:a8:92:f2:ee:eb:c0:cd:4c:f3:41:
b0:31:bc:04:8a:70:d2:1b:93:a2:a6:1f:1a:9d:ae:ec:99:5a:
45:db:0e:52:58:ec:0d:7f:56:53:0b:48:f8:77:e4:30:31:2c:
3c:c2:7f:53:3a:b8:a6:f1:56:d5:e9:c8:e0:38:f9:01:8a:ca:
6e:ca:60:1c:2d:84:25:26:41:cd:62:35:99:c3:95:34:41:11:
40:fb:8f:67:bb:ca:7d:c7:a7:60:2b:b3:86:3e:9b:99:36:2a:
b0:15:53:65:3c:ac:e2:9e:00:6e:5f:b4:56:9d:02:76:c0:40:
53:48:0a:b2:ae:27:51:99:1f:4f:fc:a9:a6:14:97:27:cd:4a:
d6:0d:3b:6d
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create a server certificate |
Step 1. Create the server's private key
C:\OpenSSL64>openssl genrsa -des3 -out myCA\servers\ldap-server-private-key.
pem 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
..+++
..............+++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
Verifying - Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
Step 2. Generate the server's certificate request
C:\OpenSSL64>openssl req -new -key myCA\servers\ldap-server-private-key.pem
-out myCA\servers\ldap-server.csr -config myCA\servers\server.conf
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component (eg, com) []:DC=org, DC=simple, O=Simple Inc
2. Domain Component (eg, company) []:
3. Domain Component (eg, pki) []:
4. Organization Name (eg, company) []:
5. Organizational Unit Name (eg, section) []:
6. Common Name (eg, FQDN) []:CN=ldap-server
Step 3. Use your signing CA's private key to sign the server's certificate
C:\OpenSSL64>openssl ca -in myCA\servers\ldap-server.csr
-out myCA\servers\ldap-server.pem -keyfile myCA\interCA\ca-private-key.pem
-cert myCA\interCA\certnew.pem -policy any_pol
-config myCA\interCA\interca.conf -extensions server_ext
Using configuration from myCA\interCA\interca.conf
Loading 'screen' into random state - done
Enter pass phrase for myCA\interCA\ca-private-key.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 10 19:28:19 2015 GMT
Not After : Sep 9 19:28:19 2017 GMT
Subject:
domainComponent = DC=org, DC=simple, O=Simple Inc
commonName = CN=ldap-server
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
5E:B4:48:67:48:D3:36:63:45:D7:2E:74:BF:66:45:CC:73:78:7A:51
X509v3 Authority Key Identifier:
keyid:A6:E2:BA:94:77:3B:62:E8:56:8C:CD:A3:AF:5F:C9:FD:29:5A:3A:B
5
Certificate is to be certified until Sep 9 19:28:19 2017 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create PKCS#12 bundle |
PKCS#12 store is used to bundle a certificate and its private key, which is required for certificate-based authentication where client has to provide his/her certificate (with only public key inside) and to sign a proof of possession of the certificate via his/her private key.
Note: From the mutual authentication traffic, the proof of possession can be identified by
*** CertificateVerify + encrypted token
(which can be only decrypted by the corresponding public key inside the passed certificate)
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\users\joe-private-key.pem
-in myCA\users\joe_email.pem -out myCA\users\joe_email.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\users\joe-private-key.pem:passphrase
Enter Export Password:passphrase
Verifying - Enter Export Password:passphrase
View the PKCS#12 store
C:\OpenSSL64>openssl pkcs12 -in myCA\users\joe_email.p12 -nodes -info
Enter Import Password:passphrase
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
subject=/DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
IFNpZ25pbmcgQ0EwHhcNMTUwOTEwMTg1MjUzWhcNMTcwOTA5MTg1MjUzWjA/MT0w
OwYKCZImiZPyLGQBGRYtREM9b3JnLCBEQz1zaW1wbGUsIE89U2ltcGxlIEluYywg
Q049Sm9lIFNtaXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyJb
wSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0KqP0hUHReaens3QLTPiZ
c4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3ePJUE81quNY6zv8fhBUYj4
yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasqPIZvTzGNePWdiQwyucMK
wKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4VoZzVOSZp9taeb+I0SWOc3
u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf7ffkisCyRw3FlIN17a4y
M5x2Y7y76ncctVEFaQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUjGLn
zhIZZLKtOvl0YKq4PnpCRKowHwYDVR0jBBgwFoAUpuK6lHc7YuhWjM2jr1/J/Sla
OrUwGQYDVR0RBBIwEIEOam9lQHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEB
AMtLuHqmeD3ygrnVP7N8DTZGyupPRWaiSiV/cAP76kHVhqPLIINR9G5DMTu0V36T
RTW354LN13IHDg/GxmwJQHu5fDQQOwUxB1i3lFGQESuMVe9+ojZez4fdGnAooRAh
TZA3ITQyYoeuCc6HXN1f6mDehWk0qJLy7uvAzUzzQbAxvASKcNIbk6KmHxqdruyZ
WkXbDlJY7A1/VlMLSPh35DAxLDzCf1M6uKbxVtXpyOA4+QGKym7KYBwthCUmQc1i
NZnDlTRBEUD7j2e7yn3Hp2Ars4Y+m5k2KrAVU2U8rOKeAG5ftFadAnbAQFNICrKu
J1GZH0/8qaYUlyfNStYNO20=
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwyJbwSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0
KqP0hUHReaens3QLTPiZc4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3eP
JUE81quNY6zv8fhBUYj4yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasq
PIZvTzGNePWdiQwyucMKwKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4Vo
ZzVOSZp9taeb+I0SWOc3u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf
7ffkisCyRw3FlIN17a4yM5x2Y7y76ncctVEFaQIDAQABAoIBAQCOdPXxcInBASGh
BPY59egpcnmPzMcXSCnRfFQfOGiQYmE80RxWCO5Jnrx0CS7INw7M+azlivZv6vLH
JAE5y+lrleT0YdAohIrZz96eUB28BU0qX0WU2CS3P/Tv8OAXkbr18H5X0fp3cL3J
ZueYvZKr/fP/AKghul0fOHpwvsLlAY2CBT1XFj55yKs2yb6tYiy65embZB8Lomfm
aR8F3BPVCIXqR0Ws6tzoCsvmwKAaOxhbqYF6LvykbsgLSHu9Z0fM+FGS4lyQRGvF
cMPLWzOWiOUXnvFY295CaDvLbGn0EsHHtOBJqM9udAdUpQjZwjTWfb76rlU8XRZZ
ZdzkKEMlAoGBAOssRb69oKbMiq51naWVpOEYh8IfbFuolWY14e8yOvR+Xyn9gdEc
F87gIOw/DDEotgPJF+VwbWE+++B5gey+Z1xzhOb639LOEPyYt1uUe2r0JZebrLRr
cm1PBV9Laoxkq3TDx7/Krhul3SSgslMChP4NmnxwoMnQo3vMQFuYx6BHAoGBANRq
WOXFfuuKaNHzJGb4TjfyTPQ+ZIdGYm7RZXEP5hwXymflDxrM+btHsWItuM66lsG/
aNAgdxAmYxHucrpRzr72xzr8Z96EQjk4kEufm32evb7tB8SwQpfdhWNVhNwfUvye
3nynA6+W8wzCvYFrWgI46ljmRikRo4yblpkp6DTPAoGAdZLrx6HMeLfYOcKJr2gy
R2tZLB9DsEuHbdNQgqLNQMERWM/qIB54dLAvJY2bzdP5s8jMzqO3u5+ek6qL302O
JXWHo2cXka/+ZBsByKJiVaV8SeDFpmn1ilqwZ+UvfsMxyS28ZtGw3Be/iPliTgf7
b3xjmQVCDcPmiBUks+adHy8CgYAsTnp4gvd0Xgx7LoI7UDPQi6Ptlk4VwWKqxtan
/K780SGRBkBeUL8Oh2fCmNLhnB3yD+Dm+L6dCcTEar5XitTbFFJ+RUPNMD03/kpq
28HtM///MEBlraW245E/eVZfX2fkfQimXsFXq90gyWRhTrsiyUSG+a1qFV1UI9Do
FV6wFQKBgQCHVQesGGECYUAcxQfRL4OgvjRHHdCzECcuCBqQiGzc99S4QM3/npQF
y9N3cVExO7/5IdnH1m4orRS6ysBpI4c36Uu3IkdRJNOLC6FpdOW8eQtlzHhn2OQg
DvtGGAsIrK2xcSAhD8Mde8P7elmc6lGnEXLL8ShKmYKtj3ViUY42xQ==
-----END RSA PRIVATE KEY-----
It shows public key and private key as well.
Note: Keep in mind that this PKCS#12 store does not have the intermediate singing CA inside. In order for the PKI validation to work, the peer has to have the Singing CA and Root CA both loaded into its trust store.
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create PKCS#12 bundle with chain |
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\users\joe-private-key.pem
-certfile myCA\interCA\certnew.pem
-in myCA\users\joe_email.pem -out myCA\users\joe_email.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\users\joe-private-key.pem:passphrase
Enter Export Password:passphrase
Verifying - Enter Export Password:passphrase
View the PKCS#12 store
C:\OpenSSL64>openssl pkcs12 -in myCA\users\joe_email.p12 -nodes -info
Enter Import Password:passphrase
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
subject=/DC=DC=org, DC=simple, O=Simple Inc, CN=Joe Smith
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB6MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwRU2ltcGxl
IFNpZ25pbmcgQ0EwHhcNMTUwOTEwMTg1MjUzWhcNMTcwOTA5MTg1MjUzWjA/MT0w
OwYKCZImiZPyLGQBGRYtREM9b3JnLCBEQz1zaW1wbGUsIE89U2ltcGxlIEluYywg
Q049Sm9lIFNtaXRoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyJb
wSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0KqP0hUHReaens3QLTPiZ
c4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3ePJUE81quNY6zv8fhBUYj4
yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasqPIZvTzGNePWdiQwyucMK
wKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4VoZzVOSZp9taeb+I0SWOc3
u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf7ffkisCyRw3FlIN17a4y
M5x2Y7y76ncctVEFaQIDAQABo4GYMIGVMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUjGLn
zhIZZLKtOvl0YKq4PnpCRKowHwYDVR0jBBgwFoAUpuK6lHc7YuhWjM2jr1/J/Sla
OrUwGQYDVR0RBBIwEIEOam9lQHNpbXBsZS5vcmcwDQYJKoZIhvcNAQEFBQADggEB
AMtLuHqmeD3ygrnVP7N8DTZGyupPRWaiSiV/cAP76kHVhqPLIINR9G5DMTu0V36T
RTW354LN13IHDg/GxmwJQHu5fDQQOwUxB1i3lFGQESuMVe9+ojZez4fdGnAooRAh
TZA3ITQyYoeuCc6HXN1f6mDehWk0qJLy7uvAzUzzQbAxvASKcNIbk6KmHxqdruyZ
WkXbDlJY7A1/VlMLSPh35DAxLDzCf1M6uKbxVtXpyOA4+QGKym7KYBwthCUmQc1i
NZnDlTRBEUD7j2e7yn3Hp2Ars4Y+m5k2KrAVU2U8rOKeAG5ftFadAnbAQFNICrKu
J1GZH0/8qaYUlyfNStYNO20=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=/DC=org/DC=simple/O=Simple Inc/OU=Simple Signing CA/CN=Simple Signing CA
issuer=/DC=org/DC=simple/O=Simple Inc/OU=Simple Root CA/CN=Simple Root CA
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MRMwEQYKCZImiZPyLGQB
GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApTaW1wbGUg
SW5jMRcwFQYDVQQLDA5TaW1wbGUgUm9vdCBDQTEXMBUGA1UEAwwOU2ltcGxlIFJv
b3QgQ0EwHhcNMTUwOTEwMTc1NzAxWhcNMjUwOTA5MTc1NzAxWjB6MRMwEQYKCZIm
iZPyLGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGc2ltcGxlMRMwEQYDVQQKDApT
aW1wbGUgSW5jMRowGAYDVQQLDBFTaW1wbGUgU2lnbmluZyBDQTEaMBgGA1UEAwwR
U2ltcGxlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDbrYUlzSJ6nr8M6fi/Fd4BmJDBkbCsHoIfLEFTCXEvACYAvJNeyDN293CnCG7K
6DNHXFMiqIOWsyQs0PdMHdQ8MO2pPVVnUdxCxq0QdpoOuP6srGNfSOLAxhXwPLz3
OwYrb/R1Wqp9wG2TBm2yi/MGg/8hkZ/sv4G0rYBUfF7RQbXEWD/cjUazhdns1yuA
0RDOyWKh/ouZuT+Q0U4RlfpdAp4D9deDdjJV3KnIGEf5YxNZi556CwuJgDo7pYdT
0cYR/eXla+lqTb+6hqwBe3gcyvot3SV+FRGP/QNCSCcqGYpEPsOXSZ5TJh8aMmHM
toO7LZruiKKxaKmEaH/sqKEJAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNV
HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSm4rqUdzti6FaMzaOvX8n9KVo6tTAf
BgNVHSMEGDAWgBQjUTKlbRs+kH06igkeCD4+9rYcuDANBgkqhkiG9w0BAQUFAAOC
AQEAueyfcCxFck5nWZv4E2ojqm+YzLga6torOjbGNZsb4J0sQtg2VCghGt6qKX1w
yAz2e4MBxGwxTGuZfHW0T40MqSc3SjJHchJjfrDvPTy+//pkOFCAXV/DDNIdNioF
3DHfAfQ+H4N+4LEW5UEqAO1n7aPxJn3Q4LMkN95uHokcyx74NhdYGP/tiLwpXpjW
XU0nhzOEZNVPP32O2PB6/CFFdZshA7JInD9RFAASthvyr35ghojq/X6Dz9Elq14s
jhQOZ1qvp5LaxNvddDHw4CBJl/V5QEm8u80V54DnLdrmfYyusieR40NOzEASZabD
E9ZjsFzlf40NB3q1s9h7A6yECw==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 1C 06 3F 2A 60 8A EE E7 B1 58 9C F6 BA 85 CF 9F 6B BD 08 1F
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwyJbwSIFLUwzketwXMfCqDoESC567N4ZXCpBzKXNuB0+kjO0
KqP0hUHReaens3QLTPiZc4uy8fkGylfIuiSlwl40rEL+F3M7lLlebxUmtmAzG3eP
JUE81quNY6zv8fhBUYj4yKDUiKv5p6pEY73dATJPzduJSxvzZwYdKtlJUXYqFasq
PIZvTzGNePWdiQwyucMKwKllW9FoK1TTDNvoD8dAieLVcxcla0kov7I1GrOAS4Vo
ZzVOSZp9taeb+I0SWOc3u7o21VnJTQ729HneJN8Q9RkMYJ0KFlsOJ/LCf9s5cnrf
7ffkisCyRw3FlIN17a4yM5x2Y7y76ncctVEFaQIDAQABAoIBAQCOdPXxcInBASGh
BPY59egpcnmPzMcXSCnRfFQfOGiQYmE80RxWCO5Jnrx0CS7INw7M+azlivZv6vLH
JAE5y+lrleT0YdAohIrZz96eUB28BU0qX0WU2CS3P/Tv8OAXkbr18H5X0fp3cL3J
ZueYvZKr/fP/AKghul0fOHpwvsLlAY2CBT1XFj55yKs2yb6tYiy65embZB8Lomfm
aR8F3BPVCIXqR0Ws6tzoCsvmwKAaOxhbqYF6LvykbsgLSHu9Z0fM+FGS4lyQRGvF
cMPLWzOWiOUXnvFY295CaDvLbGn0EsHHtOBJqM9udAdUpQjZwjTWfb76rlU8XRZZ
ZdzkKEMlAoGBAOssRb69oKbMiq51naWVpOEYh8IfbFuolWY14e8yOvR+Xyn9gdEc
F87gIOw/DDEotgPJF+VwbWE+++B5gey+Z1xzhOb639LOEPyYt1uUe2r0JZebrLRr
cm1PBV9Laoxkq3TDx7/Krhul3SSgslMChP4NmnxwoMnQo3vMQFuYx6BHAoGBANRq
WOXFfuuKaNHzJGb4TjfyTPQ+ZIdGYm7RZXEP5hwXymflDxrM+btHsWItuM66lsG/
aNAgdxAmYxHucrpRzr72xzr8Z96EQjk4kEufm32evb7tB8SwQpfdhWNVhNwfUvye
3nynA6+W8wzCvYFrWgI46ljmRikRo4yblpkp6DTPAoGAdZLrx6HMeLfYOcKJr2gy
R2tZLB9DsEuHbdNQgqLNQMERWM/qIB54dLAvJY2bzdP5s8jMzqO3u5+ek6qL302O
JXWHo2cXka/+ZBsByKJiVaV8SeDFpmn1ilqwZ+UvfsMxyS28ZtGw3Be/iPliTgf7
b3xjmQVCDcPmiBUks+adHy8CgYAsTnp4gvd0Xgx7LoI7UDPQi6Ptlk4VwWKqxtan
/K780SGRBkBeUL8Oh2fCmNLhnB3yD+Dm+L6dCcTEar5XitTbFFJ+RUPNMD03/kpq
28HtM///MEBlraW245E/eVZfX2fkfQimXsFXq90gyWRhTrsiyUSG+a1qFV1UI9Do
FV6wFQKBgQCHVQesGGECYUAcxQfRL4OgvjRHHdCzECcuCBqQiGzc99S4QM3/npQF
y9N3cVExO7/5IdnH1m4orRS6ysBpI4c36Uu3IkdRJNOLC6FpdOW8eQtlzHhn2OQg
DvtGGAsIrK2xcSAhD8Mde8P7elmc6lGnEXLL8ShKmYKtj3ViUY42xQ==
-----END RSA PRIVATE KEY-----
As it can be seen that this PKCS#12 store has two public keys (user + singing CA) and user's private key.
Note: As this PKCS#12 store has the PKI chain inside, the peer only needs the Root CA to be loaded into its trust store to verify the user.
|
|
|
|
|
|
|
authen
member
offline |
| |
| posts: |
56 |
| joined: |
06/05/2006 |
| from: |
San Diego, CA |
|
|
|
|
|
| Create PKCS#12 bundle with chain for server |
C:\OpenSSL64>openssl pkcs12 -export -inkey myCA\servers\ldap-server-private-key.pem
-certfile myCA\interCA\certnew.pem
-in myCA\servers\ldap-server.pem -out myCA\servers\ldap-server.p12
Loading 'screen' into random state - done
Enter pass phrase for myCA\servers\ldap-server-private-key.pem:passphrase-of-private-key
Enter Export Password:any-password-to-protect-p12-store
Verifying - Enter Export Password:any-password-to-protect-p12-store
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 09/11/2015 10:45:19 PM
Edit
Quote
Report
Profile
Reply