Archive

For the openssl category

Converting a certificate from DER to PEM or PEM to DER

No Comments
openssl x509 –in input.pem –inform PEM -out output.der –outform DER
openssl x509 –in input.der –inform DER -out output.pem –outform PEM

How to remove the passphrase on a private key

No Comments

To remove a passphrase on a private key, simple execute this command.

openssl rsa -in server.key -out server.unprotected.key

Since it is a private key, make sure that it is well protected.

Creating a certificate for a server

No Comments

Creating a server certificate involves only a few steps. To do so, execute the following commands. This post assumes that “OpenSSL initial configuration” and “Creating a ca’s self signed certificate” has been done previously.

Create a private key for the server. This can be accomplished using any user. The secret key, server.key, must be well protected.

openssl genrsa -des3 -out server.key 1024

Create the certificate request. This can be accomplished using any user. The common name (CN) should be the URL of the server. Otherwise, users will get a warning message that the server URL does not match the URL in the certificate.

openssl req -new -key server.key -out server.csr

Create and sign the certificate (change NN for the next certificate serial number available!). You must be logged in as ca to perform this operation. serverNN.crt is the server certificate.

openssl x509 -req -days 365 -in server.csr -CA certs/cacert.pem 
      -CAkey private/cakey.pem -set_serial NN -out serverNN.crt

Creating a ca’s self signed certificate

1 Comment

In order to create your own certificates, you need a CA (certificate authority) certificate. This certificate will be used to sign every certificate you will create. To do so, execute the following command. This post assumes that “OpenSSL initial configuration” has been done previously.

  • Logon with the user ca
  • Go in its home directory and issue the command
openssl req -new -x509 -keyout private/cakey.pem -out 
                            certs/cacert.pem -days 3650

It is a good practice to put the private key on a removable media and load it only when signing new certificates. Do not loose it. It is the most important piece of data related to your certificates.

OpenSSL initial configuration

2 Comments

This initial configuration procedure assumes that you are executing it on Linux

  • Create a special user named ‘ca’. Its home directory will hold the data. It must protected carefully. For example:
groupadd -g 2000 ca
useradd -g 2000 -u 2000 -m -s /bin/bash ca
chmod 700 /home/ca
  • Change the variable dir in /etc/ssl/openssl.cnf for the home directory of the ca user just created.
  • The default values used for the certifcate requests can be changed in /etc/openssl.cnf such as countryName_default, stateOrProvinceName_default and 0.organizationName_default
  • Logon with the user ca
  • mkdir private certs reqs
  • chmod 700 private certs reqs
Blue Taste Theme created by Jabox