Certificate , PKI#
Concepts#
PKI Public Key Infrastructure
Security architecture where trust is conveyed through the signature of a trusted CA
CA Certificate Authority
Entity issuing certificates and CRLs
RA Registration Authority
Entity handling PKI enrollment. May be identical with the CA.
Certificate
Public key and ID bound by a CA signature
CSR Certificate Signing Request
Request for certification. Contains public key and ID to be certified.
CRL Certificate Revocation List
List of revoked certificates. Issued by a CA at regular intervals.
CPS Certification Practice Statement
Document describing structure and processes of a CA
Validate private key matchs cert, csr#
# get md5 of cert private key
openssl x509 -noout -in <cert> | openssl md5
# get md5 of certificate signing request
openssl req -noout -in <csr> | openssl md5
# get md5 of private key
openssl rsa -noout -in <private key> | openssl md5
Install#
Install the OpenSSL on Debian based systems
sudo apt-get install openssl
Commands#
Create a private key
openssl genrsa -out server.key 4096
Generate a new private key and certificate signing request
openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key
Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt
Generate a certificate signing request (CSR) for an existing private key
openssl req -out server.csr -key server.key -new
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key
Remove a passphrase from a private key
openssl rsa -in server.pem -out newserver.pem
Parse a list of revoked serial numbers
openssl crl -inform DER -text -noout -in list.crl
Check a certificate signing request (CSR)
openssl req -text -noout -verify -in server.csr
Check a private key
openssl rsa -in server.key -check
Check a public key
openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout
Check a certificate
openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in server.p12
Verify a private key matches an certificate
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5
Display all certificates including intermediates
openssl s_client -connect www.paypal.com:443
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in server.cer -out server.pem
Convert a PEM file to DER
openssl x509 -outform der -in server.pem -out server.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in server.pfx -out server.pem -nodes
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt
Generate a Diffie Hellman key
openssl dhparam -out dhparam.pem 2048
Encrypt files with rsautl
openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem
Decrypt files with rsautl
openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem
References#
https://pki-tutorial.readthedocs.io/en/latest/
https://gist.github.com/Hakky54/b30418b25215ad7d18f978bc0b448d81
ECC related#
Generate ECC private key
openssl ecparam -out private/ec-cakey.pem -name prime256v1 -genkey
Generate a CA certificate
openssl req -new -x509 -days 3650 -config openssl.cnf -extensions v3_ca -key private/ec-cakey.pem -out certs/ec-cacert.pem
Verify the CA certificate with Private key
# get public key from certificate
openssl x509 -noout -pubkey -in certs/ec-cacert.pem
# get public key from private key
openssl pkey -pubout -in private/ec-cakey.pem
# compare these two public keys
https://www.golinuxcloud.com/openssl-generate-ecc-certificate/
SSL Convert#
SSL Certificates into 6 formats such as PEM, DER, PKCS#7, P7B, PKCS#12 and PFX. Depending on the server configuration (Windows, Apache, Java), it may be necessary to convert your SSL certificates from one format to another.
- Microsoft Windows servers use .pfx files
- Apache servers use .crt, .cer
The different SSL certificate formats#
PEM FORMAT#
The PEM format is the most common format among SSL certificates issued by certification authorities. This type of certificate contains the following lines : “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”. Certificates with the .pem extension are identical to the .crt or .cer extensions. It is thus possible for you to modify the extension of these files. PEM certificates can contain both the certificate and the private key in the same file. However, most servers like Apache want you to separate them into separate files.
- PEM certificates have the .pem, .crt, .cer and .key extensions
- They are encoded in ASCII Base64 format
- They are generally used for Apache servers or similar configurations
DER FORMAT#
The DER format is simply a binary form of a certificate at the expense of the ASCII PEM format. There are often two forms of extension in .cer and .der The only way to determine the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and check for the BEGIN/END text Both types of certificates and private keys can be encoded in DER format. DER is usually used with Java platforms. If you need to convert a private key to DER format, you can use the OpenSSL commands on this site
PKCS#7 AND P7B FORMAT#
The PKCS#7 or P7B format is encoded in ASCII Base64 format. This type of certificate contains the following lines: “—–BEGIN PKCS7—–” et “—–END PKCS7—–”. The particularity of the p7B file is that it only contains certificates and string certificates and not the private key.
- They have the .p7b and .p7c extensions
- They are generally used for Microsoft windows and Java Tomcat servers
PKCS#12 AND PFX FORMAT#
The PKCS#12 or PFX format is encoded in binary format. This type of certificate stores the server certificate as well as the intermediate certificates and the private key in a single encrypted file.
PFX files usually come with extensions such as .pfx, .p12 or .pkcs#12. You can rename the extension of .pfx files to .p12 and vice versa. PFX formats are typically used on Windows servers to import and export certificates and private keys.
When converting a PFX file to a PEM file, all certificates and the private key are integrated into a single file. It will be necessary to separate the different parts of the file into separate files. To do this, here is the method:"
To do this, it is necessary to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statements) into an individual text file and save them as certificate.cer, CACert.cer and privateKey.key respectively.
OpenSSL commands for your conversion#
It is recommended to convert your files directly using OpenSSL commands to keep your private key secret. To do this, please use the following commands to convert your files into different formats. If this has been impossible for you, rest assured, our SSL converter ensures you complete protection of your data, which is never stored.
CONVERT PEM#
PEM TO DER#
openssl x509 -outform der -in certificate.pem -out certificate.derPEM TO P7B#
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cerPEM TO PFX#
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtCONVERT DER#
DER(.CRT .CER .DER) TO PEM#
openssl x509 -inform der -in certificate.cer -out certificate.pemDER TO CER#
openssl x509 -inform der -in certificat-ssl.der -out certificat-ssl.cerCONVERT P7B#
P7B TO PEM#
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cerP7B TO PFX#
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer``openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cerP7B TO CER#
openssl pkcs7 -print_certs -in certificat-ssl.p7b -out certificat-ssl.cerCONVERT PFX#
PFX TO PEM#
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodesCONVERT CER#
CER TO P7B#
openssl crl2pkcs7 -nocrl -certfile certificat-ssl.cer -certfile cert-intermediaire.cer -certfile cert-racine.cer -out certificat-ssl.p7bCER TO PFX#
openssl pkcs12 -in certificat-ssl.cer -certfile cert-intermediaire.cer -certfile cert-racine.cer -inkey cle-privee.key -export -out certificat-ssl.pfxCER TO DER#
openssl x509 -in certificat-ssl.cer -outform der -out certificat-ssl.der