ScaleneWiki: Tips/OpenSSL

Email

Signing E-mail using OpenSSL

 openssl smime -sign -text -in message.txt -out signed-message.txt 
     -signer <cert> -inkey <key>

Encrypting E-mail using OpenSSL

This example shows how to encrypt a signed mail message contained in the file signed-mail-message.txt. For this purpose use the command below that will produce as output a encrypted message in the file encrypted-mail-message.txt. The command uses as last parameter the name of a file (destination-user-certificate.pem) containing the certificate of destination user, therefore the mail can only be decrypted by persons having access to the corresponding certificate private key. To do this you need to obtain the destination user certificate.

 openssl smime -encrypt -in signed-mail-message.txt  -out encrypted-mail-message.txt 
   destination-user-certificate.pem

Decrypting an E-mail using OpenSSL

This example shows how to decrypt a signed E-mail message.

 openssl smime -decrypt -in received-encrypted-mail-message.txt 
     -out received-mail-message.txt  -recip ${HOME}/.globus/usercert.pem 
     -inkey ${HOME}/.globus/userkey.pem

Checking a signed E-mail using OpenSSL

This example shows how to verify a signed E-mail message at arrival in order to check that has not been changed. The last argument is the path to a directory containing your trusted certification authority certificates.

 openssl smime -verify -text -in received-signed-mail-message.txt 
   -CApath /etc/certificates

The following example will display the distinguish name (DN) of the signer.

 openssl smime -pk7out -in received-signed-mail-message.txt |  openssl pkcs7 -print_certs -noout

Info

Verifying a CRL

This example shows how to verify the authenticity of a CRL. You can enter the path for a directory containing all trusted CA ROOT certificates, or specify directly the CA ROOT certificate with which the verify should be performed.

 openssl crl -noout -CApath /etc/grid-security/certificates -in 11b4a5a2.r0 -noout
 openssl crl -noout -CAfile /etc/grid-security/certificates/11b4a5a2.0 -in 11b4a5a2.r0 -noout

Display the content of a certificate

This example shows how to display in text format the content of a certificate.

 openssl x509 -text -noout -in usercert.pem

Display the content of a CRL

This example shows how to display in text format the content of a CRL.

 openssl crl -text -noout -in /etc/grid-security/certificates/11b4a5a2.r0

Testing an HTTPS server

 openssl s_client -host www.scalene.net -port 443
 openssl s_client -connect www.scalene.net:443

File Conversions

Converting PEM certificate to DER

 openssl x509 -inform PEM -outform DER -in foo.pem -out foo.der

Converting PKCS12 to PEM key and certificate

Use the openssl pkcs12 command to extract the key and certificate into a single file containing both the key and certificate in PEM format. Extract the key and certificate with a text editor, copy & paste, etc.

 openssl pkcs12 -in foo.p12 -out foo.pem

 openssl pkcs12 -in foo.p12 -out key.pem -nocerts
 openssl pkcs12 -in foo.p12 -out key.pem -nokeys

Change passphrase on RSA key

 openssl rsa -in foo.pem -out foo.pem

Converting PEM cert & key to PKCS12 key & certificate

 openssl pkcs12 -export -in foo-cert.pem -inkey foo-key.pem -out foo.p12

PKCS12 key/certs and Java

J2SE utilizes a file format called JKS to store keys and certificates by default. It is possible to make it utilize a PKCS12 format in a read-only fashion. For instance:

  keytool -list -storetype pkcs12 -v -keystore cert.p12

The keytool program is accessing the keystore as pkcs12. You can do this either in your code by including a line similar to:

 javax.net.ssl.keyStoreType=pkcs12

or you can change the default type by modifying the /keystore.type/ parameter in the java.security file

 $J2SE/jre/lib/security/java.security

Creating a Certificate Request

The openssl req command is used to create a PKCS#10 (Public Key Cryptography Standards) certificate request. It also generates a key pair when -new is specified. The -days switch is used to specify the number of days that the certificate is valid. OpenSSL prompts for a new password for this certificate (e.g. siteKEY). A certificate request may be created as follows:

 openssl req  -new -keyout newkey.pem -out newreq.pem -days 360 -config openssl.conf

Certificate Authority

Creating Self-Signed Certificate Authority Certificate

To create a self-signed certificate, use the openssl req command with the -x509 switch. The certificate is placed in the file cacert.pem, and the private key in private/cakey.pem. The commonName for the self-signed certificate should be a meaningful string for people to read, and not be the domain name of the server (since the server domain name is needed for server certificates used by Netscape/Mozilla/Safari).

The req command prompts for the password (e.g. caKEY) for the private key, and is used as follows:

 openssl req -new -x509 -keyout private/cakey.pem -out private/cacert.pem -config openssl.conf

Signing a Certificate Request

A server certificate is created by signing the certificate request using the openssl ca command. The -policy switch specifies the section of the OpenSSL configuration file which defines which distinguished name fields are required, and the order of the fields. As an example, our test configuration file specifies the policy_anything section which makes all the listed distinguished name fields optional.

When this command is executed, it prompts for the certificate authority password:

 cat newreq.pem newkey.pem > new.pem
 openssl ca  -policy policy_anything -out newcert.pem -config openssl.conf -infiles new.pem

Installing CA certificate on a web server

After this, a webserver can be configured to use certificates signed by the CA certificate and provide a mechanism for clients to install the certificate. Any clients that install the certificate will trust all certificatees signed by the CA.

When the Apache-SSL server is used, then the httpd.conf file must also be modified to specify the CA certificate and key files as follows:

  # Set the CA certificate verification path (must be PEM encoded).
  SSLCACertificatePath $SSLDIR/private

  # Set the CA certificate verification file (must be PEM encoded).
  SSLCACertificateFile $SSLDIR/private/CAcert.pem

To install the CA certificate, load it using HTTP Content-Type: application/x-x509-ca-cert. To do this in a manner which does not depend on the server, use a cgi-script like the following example, or save the certificate in a file with a "cacert" suffix and define this suffix in the server configuration file to correspond to the application/x-x509-ca-cert mime type.

The HTML form used to request loading a CA certificate into a browser might be written as follows:

 <HEAD><TITLE>Load CA Certificate</title></head><BODY>
 
 <H1>Load Certificate Authority Certificate</h1>

 <FORM ACTION="http://yourserver/cgi-bin/loadCAcert.pl" METHOD=post> 

 <TABLE>
 <TR>
  <TD>Netscape Browser (PEM Format):</td> 
  <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="PEM" CHECKED></td>
 </tr> 
 <TR>
  <TD>Microsoft Browser (DER Format):</td>
  <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="DER"></td>
 </tr>
 </table>

 <INPUT TYPE="SUBMIT" VALUE="Load Certificate">

 </form>

 </body>

When this form is submitted, the following CGI script is used to process it and return the result loadCAcert.pl:

 #!/usr/bin/perl

 require 5.004;
 use strict;
 use CGI;

 my $cert_dir = "$SSLDIR/private";
 my $cert_file = "CAcert.pem";

 my $query = new CGI;

 my $kind = $query->param('FORMAT');
 if($kind eq 'DER') { $cert_file = "CAcert.der"; }

 my $cert_path = "$cert_dir/$cert_file";

 my $data = "";
 open(CERT, "<$cert_path");
 while(<CERT>) { $data .= $_; }
 close(CERT);		
 print "Content-Type: application/x-x509-ca-cert\n";
 print "Content-Length: ", length($data), "\n\n$data";

 1;