Using OpenSSL with Digital Certificates

Introduction

This tutorial shows how to use the OpenSSL toolkit to work with digital certificates. The OpenSSL toolkit is available from http://www.openssl.org/. If you need a compiled version for Windows check out http://slproweb.com/products/Win32OpenSSL.html.

Creating a certificate

First we will use OpenSSL to generate a public and private key pair. We will then create a certificate to bind the public key with an identity.

Creating a key pair is easy. The following command can be used. This outputs a 2048-bit RSA key pair in the key1.key file. The file itself is encrypted using AES-256 and the password entered at the prompt.

Creating a key pair
C:\OpenSSL\bin>openssl genrsa -aes256 -out key1.key 2048
Loading 'screen' into random state - done
Generating RSA private key, 2048 bit long modulus
.......................+++
..................+++
e is 65537 (0x10001)
Enter pass phrase for key1.key:
Verifying - Enter pass phrase for key1.key:

The following command can be used to obtain the public key from the private key created previously.

Getting the public key from the private key
C:\OpenSSL\bin>openssl rsa -in key1.key -pubout
Enter pass phrase for key1.key:
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhBGVV2iAu7OzmL6Gfnp
DCMPxMjwUd26OSiWHaYS53S6hW26KMZMYr8KyDfDut3ZVwyGqSFnEOVXY6Hjeakx
TxeRIBO6Ke4gSDXTdYLsrBALK7uMlW+2+5kI6CuKznitQ7hc4EvNlvvz+LvBI7e3
OxtwaXgOu6KSU6efIHjlQivUQ2RWynlt8zJCr2iSPCiSx6ks0rt7BSjmKHEZU1cj
LVE1xht3kM0guAjEd5UXoOBOn8WOkPG+t1biOjPvCxJSwoFeqLqLo7W5mH9dUZI6
ThcQWyPE9GYSpVD2867nklT6/Ja+uIrDI2e4/0Lxx+PFzMGx2LLsOEtjks25EK93
pQIDAQAB
-----END PUBLIC KEY-----

Now that we have a private key we are going to create a Certificate Signing Request (CSR). It is typical to create a CSR and then send it to the entity that will generate the certificate. In this example because it is a self-signed certificate there is no other entity involved but it is useful to show the typical steps rather than shortcuts.

Generating the Certificate Signing Request
C:\OpenSSL\bin>openssl req -new -key key1.key -out csr1.csr
Enter pass phrase for key1.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dummy Company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:John Doe
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    

We are just creating a random certificate here but if the purpose of the certificate is to authenticate a website then the Common Name would be that website's domain name e.g. www.needfulsoftware.com for this website.

Now that we have the CSR we can generate a certificate with the following command. Note that we use the same private key to sign the certificate because it is a self-signed certificate. When sending the CSR to another entity they would use their own private key to generate the certificate.

Generating the certificate from the CSR
C:\OpenSSL\bin>openssl x509 -req -days 365 -in csr1.csr -signkey key1.key -out certificate1.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=London/L=London/O=Dummy Company/CN=John Doe
Getting Private key
Enter pass phrase for key1.key:

We now have a self-signed certificate ready for use in the certificate.crt file.

Previously we showed how to get the public key from the private key but it is the certificate you publish and this is where users would get the public key from. The following command shows how to get the public key from the certificate. The output is obviously identical to the one we got when extracting the public key from the private key.

Getting the public key from the certificate
C:\OpenSSL\bin>openssl x509 -pubkey -noout -in certificate1.crt
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhBGVV2iAu7OzmL6Gfnp
DCMPxMjwUd26OSiWHaYS53S6hW26KMZMYr8KyDfDut3ZVwyGqSFnEOVXY6Hjeakx
TxeRIBO6Ke4gSDXTdYLsrBALK7uMlW+2+5kI6CuKznitQ7hc4EvNlvvz+LvBI7e3
OxtwaXgOu6KSU6efIHjlQivUQ2RWynlt8zJCr2iSPCiSx6ks0rt7BSjmKHEZU1cj
LVE1xht3kM0guAjEd5UXoOBOn8WOkPG+t1biOjPvCxJSwoFeqLqLo7W5mH9dUZI6
ThcQWyPE9GYSpVD2867nklT6/Ja+uIrDI2e4/0Lxx+PFzMGx2LLsOEtjks25EK93
pQIDAQAB
-----END PUBLIC KEY-----

Creating a PFX file for Microsoft IIS

A web server requires the private key and the certificate to be able to offer HTTPS support. Different web servers have different ways to store the private key and the certificate. Microsoft IIS expects a PKCS 12 archive with the private key and the certificate.

Generating a PFX file for IIS
C:\OpenSSL\bin>openssl pkcs12 -export -in certificate1.crt -inkey key1.key -out key1certificate1.pfx
Loading 'screen' into random state - done
Enter pass phrase for key1.key:
Enter Export Password:
Verifying - Enter Export Password:

The generated pfx file can now be used to import the certificate into IIS as shown here.


blog comments powered by Disqus

Copyright(c) 2006-2017 Xavier Leclercq | Privacy policy

Home
Contact Us
Search