OpenSSL by Example

OpenSSL Command Line Utilities
OpenSSL Quick Reference Guide
The Most Common OpenSSL Commands

Formats

Privacy Enhanced Mail (PEM) => Historical container format, used now for BASE64 translation of the x509 ASN.1 key

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

X509 File Extensions

The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

CA Certificates

Creating a CA
IBM: SSL mit nicht vertrauenswürdigen Zertifikaten konfigurieren
IBM: Stammzertifizierungsstelle unter iOS installieren

$ openssl req \
-new \
-x509 \
-days 1095 \
-extensions v3_ca \
-keyout ca.key \
-out ca.crt \
-subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti CA/CN=www.fablabwinti.ch/emailAddress=info@fablabwinti.ch"
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

ca.key:     ASCII text      => encrypted private key of the certificate (with PEM password)
ca.crt/pem: PEM certificate => public certificate (which includes the public key but NOT the private key)
ca.srl:     ASCII text      => CA serial number

$ openssl genrsa \
-out rfid.key 2048

$ openssl genrsa \
-out doorlock.key 2048

$ openssl req \
-out rfid.csr \
-key rfid.key \
-new \
-subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti/CN=RFID"

$ openssl req \
-out doorlock.csr \
-key doorlock.key \
-new \
-subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti/CN=Door Lock"

$ openssl x509 \
-req \
-in rfid.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out rfid.crt \
-days 1095

$ openssl x509 \
-req \
-in doorlock.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out doorlock.crt \
-days 1095

rfid.key:     PEM RSA private key     => private key of the certificate
rfid.csr:     PEM certificate request => PKCS10 format: subject + public key of the certificate
rfid.crt/pem: PEM certificate         => public certificate (which includes the public key but NOT the private key)

Convert to Binary
$ openssl x509 -in rfid.crt -out rfid.bin.crt -outform DER
$ openssl rsa -in rfid.key -out rfid.bin.key -outform DER

Binary to C Array
$ xxd.exe -i rfid.bin.key > rfid.bin.key.h
$ xxd.exe -i rfid.bin.crt > rfid.bin.crt.h

-newkey arg
  rsa:nbits          generates an RSA key nbits in size
  dsa:filename       generates a DSA key using the parameters in the file filename
  ec:filename        generates EC key (usable both with ECDSA or ECDH algorithms)
  gost2001:filename  generates GOST R 34.10-2001 key (requires ccgost engine configured in the configuration file)
  
Aussteller:
E = info@fablabwinti.ch
CN = www.fablabwinti.ch
O = FabLab Winti
L = Winterthur
S = Zurich
C = CH

Antragsteller:
E = info@fablabwinti.ch
CN = www.fablabwinti.ch
OU = RFID
O = FabLab Winti
L = Winterthur
S = Zurich
C = CH

$ openssl x509 -in doorlock.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            bd:ee:65:f3:e8:39:38:af
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti CA, CN=www.fablabwinti.ch/emailAddress=info@fablabwinti.ch
        Validity
            Not Before: Sep 15 13:38:25 2016 GMT
            Not After : Sep 15 13:38:25 2019 GMT
        Subject: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti, CN=Door Lock
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:1c:33:74:3b:53:40:7e:be:0e:96:e8:77:e3:
                    [...]
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         10:55:c7:0d:18:be:52:fb:bc:18:1f:c4:94:82:11:e0:f8:d5:
         [...]

$ openssl x509 -in server.crt -noout -fingerprint -sha1
SHA1 Fingerprint=26:86:55:5A:F9:00:FF:67:AC:57:55:2D:A6:7A:2E:A1:39:42:A4:2C

$ openssl x509 -in server.crt -noout -fingerprint -sha256
SHA256 Fingerprint=CA:C3:F8:37:53:43:31:C6:B9:01:FC:62:85:2E:0D:70:F4:24:62:B7:A6:C4:17:3C:11:D2:4D:B9:62:5B:F2:C3

Diffie-Hellman

  • Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
  • Elliptic-Curve Diffie-Hellman (ECDH) key exchange
  • ECDSA algorithm

Guide to Deploying Diffie-Hellman for TLS
Making the Key Exchange stronger

Which elliptic curve should I use?

$ openssl ecparam -list_curves
[...]
prime256v1
[...]
secp384r1
[...]

FAQ

OpenSSL without prompt

qmail / Dovecot

qmail:
  $ cd /var/qmail/control/

  # Request
  $ openssl req -new -nodes -out req.pem -keyout servercert.pem
 
  # Sign
  $ openssl req -new -x509 -nodes -out servercert.pem -days 366 -keyout servercert.pem
  $ openssl ciphers > tlsclientciphers
  $ openssl ciphers > tlsserverciphers
 
  # Display certificate information
  $ openssl x509 -text -noout -in servercert.pem

  # Change permission
  $ chown vpopmail:vchkpw /var/qmail/control/servercert.pem

Dovecot:
  mkdir /usr/local/etc/dovecot/ssl
  mkdir /usr/local/etc/dovecot/ssl/private
  mkdir /usr/local/etc/dovecot/ssl/certs
  cd  /usr/local/share/examples/dovecot/
  env SSLDIR=/usr/local/etc/dovecot/ssl /usr/local/share/examples/dovecot/mkcert.sh

Convert PEM to DER
  $ cd /var/qmail/control
  $ openssl x509 -in servercert.pem -outform der -out servercert.crt

  $ cd /usr/local/etc/dovecot/ssl/certs
  $ openssl x509 -in dovecot.pem -outform der -out dovecot.crt

  # Copy / Install DER certificate to iPhone
  $ cp servercert.crt [...]
  $ cp dovecot.crt [...]
OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=CH

# State or Province Name (full name)
ST=Zurich

# Locality Name (eg. city)
L=Winterthur

# Organization (eg. company)
O=tE-clan Server

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=imap.te-clan.ch

# E-mail contact
emailAddress=bachi@te-clan.ch

[ cert_type ]
nsCertType = server

Leave a Reply

Your email address will not be published. Required fields are marked *