Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:openssl_usage_notes [2018/12/04 13:59] bobtechnical:openssl_usage_notes [2021/10/14 19:46] (current) bob
Line 7: Line 7:
   * SSL is based on RSA asymmetrical encryption (aka public key encryption)   * SSL is based on RSA asymmetrical encryption (aka public key encryption)
   * Two files are created; a certificate (the "cert") and a key   * Two files are created; a certificate (the "cert") and a key
-  * The cert is public. It contains information about the cert user. It also contains an encrypted hash "signature" of the cert contents.+  * The cert is public. It contains information about the cert user (i.e. the "subject") and the organization that "signed" the cert (i.e. the "issuer"). It also contains an encrypted hash "signature" of the cert contents.
   * "Signing" a cert means that a secure hash of the cert is calculated and the secure hash is encrypted with the signing authority's (the "issuer") secret key. This encrypted hash is then appended to the certificate.    * "Signing" a cert means that a secure hash of the cert is calculated and the secure hash is encrypted with the signing authority's (the "issuer") secret key. This encrypted hash is then appended to the certificate. 
   * Check the integrity of the cert by calculating the secure hash of the cert and comparing it with the decrypted signature.   * Check the integrity of the cert by calculating the secure hash of the cert and comparing it with the decrypted signature.
Line 20: Line 20:
 | key     | Subject's secret key | | key     | Subject's secret key |
 | PEM     | Straight ASCII (BASE64) format of a binary cert or key | | PEM     | Straight ASCII (BASE64) format of a binary cert or key |
-| sign    | Calculate a secure hash and encrypt hash with issuer'public key |+| sign    | Calculate a secure hash and encrypt hash with issuer'private key |
 | subject | The entity (person or organization) described in the cert | | subject | The entity (person or organization) described in the cert |
 +
 +==== File Types ====
 +
 +| .pem  | Stands for PEM, Privacy Enhanced Mail; it simply indicates a base64 encoding with header and footer lines. Mail traditionally only handles text, not binary which most cryptographic data is, so some kind of encoding is required to make the contents part of a mail message itself (rather than an encoded attachment). The contents of the PEM are detailed in the header and footer line - .pem itself doesn't specify a data type - just like .xml and .html do not specify the contents of a file, they just specify a specific encoding. |
 +| .key  | Can be any kind of key, but usually it is the private key - OpenSSL can wrap private keys for all algorithms (RSA, DSA, EC) in a generic and standard PKCS#8 structure, but it also supports a separate 'legacy' structure for each algorithm, and both are still widely used even though the documentation has marked PKCS#8 as superior for almost 20 years; both can be stored as DER (binary) or PEM encoded, and both PEM and PKCS#8 DER can protect the key with password-based encryption or be left unencrypted. |
 +| .crt or .cer | Stands simply for certificate, usually an X509v3 certificate, again the encoding could be PEM or DER; a certificate contains the public key, but it contains much more information (most importantly the signature by the Certificate Authority over the data and public key, of course). |
 +| .csr or .req | Stands for Certificate Signing Request as defined in PKCS#10; it contains information such as the public key and common name required by a Certificate Authority to create and sign a certificate for the requester, the encoding could be PEM or DER (which is a binary encoding of an ASN.1 specified structure) |
 +
  
 ===== Important OpenSSL Commands and Options ===== ===== Important OpenSSL Commands and Options =====
Line 63: Line 71:
 | -text               | Text form of request | | -text               | Text form of request |
 | -noout              | Do not output REQ | | -noout              | Do not output REQ |
 +
 +===== Generate a public / private RSA key pair =====
 +
 +This just generates a matched pair of public and private keys using the RSA algorithm. Once generated these keys can be used for other SSL activities such as encryption certificate signing.
 +
 +<code>
 +openssl genrsa -out my_key_name.key 2048
 +</code>
 +
 +Both the public and private keys reside in the key file. Hold this file near and dear, especially if it isn't password protected. Extract the public key portion of this with RSA command.
 +
 +<code>
 +openssl rsa -in my_key_name.key -outform PEM -pubout -out my_public_key_name.pem
 +</code>
  
 ===== Build a "root" (i.e. self-signed) Certificate of Authority ===== ===== Build a "root" (i.e. self-signed) Certificate of Authority =====
Line 71: Line 93:
  
 ===== Build a Certificate Signing Request (CSR) ===== ===== Build a Certificate Signing Request (CSR) =====
 +
 +Here is a basic version of CSR generation
  
 <code> <code>
Line 76: Line 100:
 </code> </code>
  
-===== Sign a Certificate Signing Request (CSR) =====+Cheap SSL Security has a guide to [[https://knowledge.cheapsslsecurity.com/support/solutions/articles/22000200075-apache-openssl|CSR generation for Apache]]. They recommend: 
 + 
 +<code> 
 +openssl req -new -newkeys rsa:2048 -nodes -keyout baggerman.org.key -out baggerman.org.crt 
 +</code> 
 + 
 +This makes new RSA keys. To use an existing key use this form: 
 + 
 +<code> 
 +openssl req -new -key key_file_name.pem -out baggerman.org.csr 
 +</code> 
 + 
 +This doesn't seem to support [[https://en.wikipedia.org/wiki/Subject_Alternative_Name|Subject Alternative Names]], though. Here is some good info on [[http://apetec.com/support/GenerateSAN-CSR.htm|how to add SAN to openssl.conf]]. And here is a pretty good [[https://certificatetools.com/|CSR builder]] that knows about SANs. Here is what needs to be added to the openssl.cnf file. 
 + 
 +  [ req ] 
 +  req_extensions          v3_req # The extensions to add to a certificate request 
 + 
 +  [ v3_req ] 
 +  subjectAltName @alt_names 
 + 
 +  [alt_names] 
 +  DNS.1 www.baggerman.org 
 +  DNS.2 baggerman.org 
 +  IP.1 198.89.126.181 
 + 
 +Check the CSR with the following command: 
 + 
 +<code> 
 +openssl req -text -noout -in baggerman.org.csr 
 +</code> 
 + 
 +There is also a good CSR decoder at [[https://www.sslshopper.com/csr-decoder.html|SSL Shopper]] 
 + 
 +===== Submit a Certificate Signing Request (CSR) ===== 
 + 
 +Use the .csr file to submit a signing request to a certificate provider like CheapSSL. 
 +Save the returned certificate into to a certificate file (.cer) 
 +Also save the intermediate certificate advisory file if necessary. 
 + 
 + 
 +===== Or self-sign a Certificate Signing Request (CSR) =====
  
 <code> <code>
Line 87: Line 151:
 openssl x509 -in certificate.crt -text -noout openssl x509 -in certificate.crt -text -noout
 </code> </code>
 +
 +===== Convert a Certificate to PEM format =====
 +
 +<code>
 +openssl x509 -inform der -in certificate.cer -out certificate.pem
 +</code>
 +
 +If you get an error it probably means the certificate is already in PEM format
  
 ===== Self-sign a Certificate ===== ===== Self-sign a Certificate =====
Line 93: Line 165:
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt
 </code> </code>
 +
 +===== Configure Apache =====
 +
 +Good notes at 
 +
 +Setup default SSL settings outside of a virtual host. Current recommended config (from [[https://cipherli.st/]]) is:
 +
 +  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 +  SSLProtocol All -SSLv2 -SSLv3
 +  SSLHonorCipherOrder On
 +
 +Be sure to set:
 +
 +  SSLCertificateKeyFile   "/etc/pki/tls/private/csr.key"
 +  SSLCertificateFile      "/etc/pki/tls/certs/web_server_cert.cer"
 +  SSLCertificateChainFile "/etc/pki/tls/certs/intermediate.pem"