I'm creating self signed certificate. It is one ssl sertificate for several local domains:
local.dev.lat.com
local.dev.bet.com
local.dev.cat.com
local.dev.mon.com
local.dev.pop.com
...
I have this command for creating that:
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout server.key \
-out server.crt \
-subj "/CN=*.local.dev.lat.com,*.local.dev.bet.com" \
-addext "subjectAltName=DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,DNS:*.local.dev.bet.com,DNS:local.dev.bet.com,IP:127.0.0.1"
My question is:
as I have around 30 domains I would like to extract -subj and -addext params to conf file somehow. Is it possible?
Let's make CERT="server.crt"; #or any other certificate.
You can easily get all of the requested info in one command openssl x509 -noout -in ${CERT} -text. You can parse that, but it's not ideal. Look at the man page for x509 for better options.
Note I am using bash to do variable substitution. You should too.
To get the serial:
serial=$(openssl x509 -serial -noout -in ${CERT}); #get only the serial
serial=${serial#*=}; #strip the 'serial=' header
To get the subject:
subject=$(openssl x509 -subject -noout -in ${CERT}); #get only the subject
subject=${subject#*=}; #strip the 'subject=' header
Now for the subjectAltName... It's an x509 extension, so it gets a bit trickier. But lets try anyways:
#use almost every certopt that exists to narrow display to X509v3 section
altname=$(openssl x509 -noout -in ${CERT} -text -certopt no_header,no_version,no_signame \
-certopt no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux,no_serial)
#remove previous extensions, headers, and leading spaces
altname=${altname#*X509v3 Subject Alternative Name: $'\n' };
#remove any possible sections after
altname=${altname%%$'\n'*}
#unset the variable if subjectAltName didn't exist
[[ "${altname}" == " X509v3 extensions:" ]] && unset altname
Your mileage may vary whilst parsing altname. I just whipped this up in a few minutes, so I'm sure i missed some edge cases. Anyways...
Now you have three variables you can throw at anything however you want;
echo -e "${CERT}:\n Serial:\n ${serial}\n Subject:\n ${subject}\n subjectAltName:\n ${altname}"
That's it. Job done...
#there seems to be a pattern forming here
openssl ec -text -noout -check -in private.key #check private key
openssl req -text -noout -verify -in CSR.csr #check signing request
openssl x509 -text -noout -in public.crt #check public key
openssl pkcs12 -info -noout -in keyStore.p12 #check client cert
openssl crl -text -noout -in revocation.crl #check certificate revocation list
Related
I am new to Linux and i am currently trying to create server certificates from CA.crt.
I have Certificate parameter to be used are CN (common name) = ipaddress and 1 year validity. I know how to use validity parameter but don't know what is improtance of CN and how can i use it while creating server certificate? See below command i am using
//create a certificate request .csr
openssl req -new -out server.csr -key server.key
//CA key to verify and sign the server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
Some common information
'CN(Common Name)' is one of the parameters in the 'Subject' of the certificate.
Others being C(Country), ST(State), OU(Organization Unit), etc.
'Subject' usually includes the information about the entity to which the certificate has been issued to.
To specify CN for a certificate, you can specify it while generating the CSR.
Answer to your question
Assuming you have to generate server.crt with CN=<ip_address>, you will have to generate CSR as follows (change ip as needed):
openssl req -new -out server2.csr -key server.key -subj "/CN=255.255.255.255"
Alternatively, if -subj option is not provided, an interactive mode window should open where you can specify the desired CN in 'Common Name' field. If you wish to skip other parameters like ST, OU in the subject, put '.' to skip them in the interactive mode.
Hope this helps.
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
This is a popular command for generating self-signed SSL certificates using OpenSSL.
What confuses me is the -signkey parameter in the third command line, what is the use of this option? I don't see it in openssl req -help.
Can anyone answer it please? Thanks in advance!
Why are you looking at req's help? The third line is using x509 command:
]$ openssl x509 -help
...
-signkey infile Self sign cert with arg
So it is the key with which you self-sign the certificate.
I am attempting to create an automated version fo this process https://aws.amazon.com/premiumsupport/knowledge-center/iot-self-signed-certificates/
But i am running into some issues. I keep getting an error when I attempt to use the iot registration code for the CN field of the command
openssl req -new -key verificationCert.key -out verificationCert.csr -subj "/CN=$CN"
Im having trouble with appending the variable I have stored the registration code to into the CN portion.
When I do this manually it works.
--UPDATE--
openssl genrsa -out myRootCA.key 2048
openssl req -x509 -new -nodes -key myRootCA.key -sha256 -days 730 -subj "/C=US/ST=Massachusetts/L=Boston/O=Company/OU=USBDev/CN=CA STG CERT" -out myRootCA.pem
CN=$(aws iot get-registration-code | jq --raw-output .registrationCode)
openssl genrsa -out privateKeyCert.key 2048
openssl req -new -key privateKeyCert.key -subj "/CN=$CN" -out privateKeyCert.csr
openssl x509 -req -in privateKeyCert.csr -CA myRootCA.pem -CAkey myRootCA.key -CAcreateserial -out privateKeyCert.pem -days 730 -sha256
aws iot register-ca-certificate --ca-certificate file://myRootCA.pem --verification-cert file://privateKeyCert.pem
Step 1 : Generate the CA key and certificate
openssl genrsa -out cacert.key 2048
openssl req -x509 -new -nodes -key cacert.key -sha256 -days 365 -subj "C=US/ST=Massachusetts/L=Boston/O=Zoom Tel/OU=USBSensor iot/CN=CA STG CERT" -out cacert.pem
Step 2 : Getting registration code to put as the CN in a CSR
aws iot get-registration-code
{
"registrationCode": "xxxxxxx"
}
You can capture the registration code in a shell variable like this :
CN=$(aws iot get-registration-code | jq --raw-output .registrationCode)
Step 3 : Create the CA certificate (using the registration code)
Notice you only need to provide a CN here. nothing else.
openssl genrsa -out privateKeyVerification.key 2048
openssl req -new -key privateKeyVerification.key -subj "/CN=$CN" -out privateKeyVerification.csr
openssl x509 -req -in privateKeyVerification.csr -CA cacert.pem -CAkey cacert.key -CAcreateserial -out privateKeyVerification.crt -days 365 -sha256
I am new with Openssl i have generated a private key myprivatekey.pem and a publickey mypublickey.pem with :
openssl ecparam -genkey -name secp160k1 -noout -out myprivatekey.pem
and my public key with :
openssl -ec -in myprivatekey.pem -pubout -out mypublickey.pem
What i want to do next is to encrypte my ecdsa with a passphrase private key and make a certification request for my public key and thank you for your help.
It would seem that ecparam doesn't have a built-in option for encrypting the generated key. Instead, you can simply do the following:
openssl ec -in myprivatekey.pem -out myprivatekey_encrypted.pem -aes256
Compared to genrsa, an extra step is required, but this basically does the same thing.
Now as far as the certificate request, the command is pretty much the same regardless of the type of private key used:
openssl req -new -sha256 -key myprivatekey.pem -out mycertrequest.pem
You can then take the resulting mycertrequest.pem and send it to a CA for signing.
Edit:
If you have concerns about writing the unencrypted private key to disk, you can do both the generation and encryption of the key in one step like so:
openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -out privatekey.pem
This generates a P-256 key, then prompts you for a passphrase. The key is then encrypted using AES256 and saved into privatekey.pem.
While ecparam doesn't have an option to encrypt the generated key, genpkey can generate ECC private keys and does have such an option:
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp160k1 -aes-256-cbc -out myprivatekey_encrypted.pem
The -aes-256-cbc option specifies to encrypt it (with aes-256-cbc; other options are available for different types of encryption).
You can pass -passin pass:password or -passin file:mypassword.pass to specify the password on the commandline.
I have an application signed twice using openssl smime. like shown below in a script:
SRC_FILE="my-app"
echo "signature XYZ..."
openssl smime -sign \
-in ${SRC_FILE} -binary \
-out ${SRC_FILE}.sig1 -nodetach \
-signer ${SIGN_CERT} -inkey ${SIGN_KEY}
echo "NB signature..."
openssl smime -sign \
-in ${SRC_FILE}.sig1 -binary \
-out ${SRC_FILE}.sig2 -nodetach \
-signer ${NB_SIGN_CERT} -inkey ${NB_SIGN_KEY}
I am trying to verify the signed application using :
openssl smime -verify -in ${SRC_FILE}.sig2 -CAfile ./Root_CA.crt -out ${SRC_FILE}.out
As an output of verify I am getting equivalent to ${SRC_FILE}.sig1 but my intention is to get original my-app.
If I am running verify command twice then eventually I am able to receive my-app.
I wanted to ask is there any flag which internally call recursively to produce original signed file.