Toolpack:Certificates

From TBwiki
(Difference between revisions)
Jump to: navigation, search
m (Installing a custom private key and local certificate on FreeSBC)
(Updated des3 (not secure) to aes256)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This page provides useful shell commands and instructions to create and manipulate certificates with FreeSBC.
+
This page provides useful shell commands and instructions to create and manipulate certificates with ProSBC.
  
== Installing a custom private key and local certificate on FreeSBC ==
+
== Installing a custom private key and local certificate on ProSBC ==
  
 
[[Create_A_SIP_Certificate_A#Upload_local_certificates_.28optional.29|See WEB Portal configuration documentation]]
 
[[Create_A_SIP_Certificate_A#Upload_local_certificates_.28optional.29|See WEB Portal configuration documentation]]
  
== Use FreeSBC (or Linux) shell to manipulate certificates ==
+
== Use ProSBC (or Linux) shell to manipulate certificates ==
You can use FreeSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).
+
You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).
  
 
=== Create new private key ===
 
=== Create new private key ===
   openssl genrsa -des3 -out MY_PRIVATE_KEY.pem 2048
+
   openssl genrsa -aes256 -out MY_PRIVATE_KEY.pem 2048
 
    
 
    
You will be prompted to enter a passphrase:
+
You will be prompted to enter a pass phrase:
 
   Generating RSA private key, 2048 bit long modulus
 
   Generating RSA private key, 2048 bit long modulus
 
   .....................+++
 
   .....................+++
Line 20: Line 20:
  
 
Resulting file:
 
Resulting file:
   -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.key
+
   -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem
  
 
=== Create a self-signed certificate from a private key ===
 
=== Create a self-signed certificate from a private key ===
   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.key -out MY_CERTIFICATE.crt
+
   openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt
  
You will be prompted for some questions for certificate contents:
+
You will be prompted to answer questions regarding the certificate:
 
   Generating a 2048 bit RSA private key
 
   Generating a 2048 bit RSA private key
 
   .........................................................+++
 
   .........................................................+++
 
   ........................................................................................................................................................................................+++
 
   ........................................................................................................................................................................................+++
   writing new private key to 'MY_PRIVATE_KEY.key'
+
   writing new private key to 'MY_PRIVATE_KEY.pem'
 
   -----
 
   -----
 
   You are about to be asked to enter information that will be incorporated
 
   You are about to be asked to enter information that will be incorporated
Line 43: Line 43:
 
   Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 
   Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 
   Organizational Unit Name (eg, section) []:
 
   Organizational Unit Name (eg, section) []:
   Common Name (eg, your name or your server's hostname) []:MyFreeSBC
+
   Common Name (eg, your name or your server's hostname) []:MySBC
 
   Email Address []:support@telcobridges.com
 
   Email Address []:support@telcobridges.com
 
    
 
    
Line 50: Line 50:
 
   -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem
 
   -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem
  
 
 
 
=== Create a CSR (certificate signing request) from a private key ===
 
=== Create a CSR (certificate signing request) from a private key ===
   openssl req -key MY_PRIVATE_KEY.key -new -out MY_CSR.csr
+
   openssl req -key MY_PRIVATE_KEY.pem -new -out MY_CSR.csr
You will be prompted for some questions for certificate contents:
+
You will be prompted to answer questions regarding the certificate:
 
   You are about to be asked to enter information that will be incorporated
 
   You are about to be asked to enter information that will be incorporated
 
   into your certificate request.
 
   into your certificate request.
Line 66: Line 65:
 
   Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 
   Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 
   Organizational Unit Name (eg, section) []:
 
   Organizational Unit Name (eg, section) []:
   Common Name (eg, your name or your server's hostname) []:MyFreeSBC
+
   Common Name (eg, your name or your server's hostname) []:MySBC
 
   Email Address []:support@telcobridges.com
 
   Email Address []:support@telcobridges.com
 
    
 
    
Line 77: Line 76:
 
   -rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr
 
   -rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr
  
=== View a certificate contents ===
+
=== View the contents of the certificate ===
 
   openssl x509 -noout -text -in MY_CERTIFICATE.crt
 
   openssl x509 -noout -text -in MY_CERTIFICATE.crt
  
Line 87: Line 86:
 
               f3:fc:c5:72:ea:a9:50:a6
 
               f3:fc:c5:72:ea:a9:50:a6
 
       Signature Algorithm: sha256WithRSAEncryption
 
       Signature Algorithm: sha256WithRSAEncryption
           Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MyFreeSBC/emailAddress=support@telcobridges.com
+
           Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
 
           Validity
 
           Validity
 
               Not Before: Mar 14 13:15:53 2019 GMT
 
               Not Before: Mar 14 13:15:53 2019 GMT
 
               Not After : Mar 13 13:15:53 2020 GMT
 
               Not After : Mar 13 13:15:53 2020 GMT
           Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MyFreeSBC/emailAddress=support@telcobridges.com
+
           Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
 
           Subject Public Key Info:
 
           Subject Public Key Info:
 
               Public Key Algorithm: rsaEncryption
 
               Public Key Algorithm: rsaEncryption
Line 140: Line 139:
 
           e6:01:6b:10
 
           e6:01:6b:10
  
 
+
=== View the signing request of a certificate (CSR) ===
=== View a certificate signing request (CSR) ===
+
 
   openssl req -text -noout -verify -in MY_CSR.csr
 
   openssl req -text -noout -verify -in MY_CSR.csr
  
Line 149: Line 147:
 
       Data:
 
       Data:
 
           Version: 0 (0x0)
 
           Version: 0 (0x0)
           Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MyFreeSBC/emailAddress=support@telcobridges.com
+
           Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
 
           Subject Public Key Info:
 
           Subject Public Key Info:
 
               Public Key Algorithm: rsaEncryption
 
               Public Key Algorithm: rsaEncryption
Line 192: Line 190:
 
           35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a:
 
           35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a:
 
           70:4d:a6:d1
 
           70:4d:a6:d1
 
+
 
 
=== Check that a certificate and a CSR match the private key ===
 
=== Check that a certificate and a CSR match the private key ===
 
   openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5
 
   openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5
   openssl rsa -noout -modulus -in MY_PRIVATE_KEY.key | openssl md5
+
   openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5
 
   openssl req -noout -modulus -in MY_CSR.csr | openssl md5
 
   openssl req -noout -modulus -in MY_CSR.csr | openssl md5
  
 
All 3 commands should display the same MD5 hash:
 
All 3 commands should display the same MD5 hash:
 
   (stdin)= 41c46eddc15580673fe4adb8f5255634
 
   (stdin)= 41c46eddc15580673fe4adb8f5255634

Latest revision as of 21:30, 10 February 2020

This page provides useful shell commands and instructions to create and manipulate certificates with ProSBC.

Contents

Installing a custom private key and local certificate on ProSBC

See WEB Portal configuration documentation

Use ProSBC (or Linux) shell to manipulate certificates

You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).

Create new private key

 openssl genrsa -aes256 -out MY_PRIVATE_KEY.pem 2048
 

You will be prompted to enter a pass phrase:

 Generating RSA private key, 2048 bit long modulus
 .....................+++
 ..............................+++
 e is 65537 (0x10001)
 Enter pass phrase for MY_PRIVATE_KEY.pem:
 Verifying - Enter pass phrase for MY_PRIVATE_KEY.pem:

Resulting file:

 -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem

Create a self-signed certificate from a private key

 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt

You will be prompted to answer questions regarding the certificate:

 Generating a 2048 bit RSA private key
 .........................................................+++
 ........................................................................................................................................................................................+++
 writing new private key to 'MY_PRIVATE_KEY.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CA
 State or Province Name (full name) []:Quebec
 Locality Name (eg, city) [Default City]:Boucherville
 Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your name or your server's hostname) []:MySBC
 Email Address []:support@telcobridges.com
 

Resulting files:

 -rw-r--r-- 1 root root 1415 Mar 14 09:15 MY_CERTIFICATE.crt
 -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem

Create a CSR (certificate signing request) from a private key

 openssl req -key MY_PRIVATE_KEY.pem -new -out MY_CSR.csr

You will be prompted to answer questions regarding the certificate:

 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CA
 State or Province Name (full name) []:Quebec
 Locality Name (eg, city) [Default City]:Boucherville
 Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your name or your server's hostname) []:MySBC
 Email Address []:support@telcobridges.com
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:my_password
 An optional company name []:TelcoBridges

Resulting files:

 -rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr

View the contents of the certificate

 openssl x509 -noout -text -in MY_CERTIFICATE.crt

Resulting output:

 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             f3:fc:c5:72:ea:a9:50:a6
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
         Validity
             Not Before: Mar 14 13:15:53 2019 GMT
             Not After : Mar 13 13:15:53 2020 GMT
         Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
                     00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
                     f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
                     ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
                     e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
                     82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
                     68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
                     9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
                     9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
                     3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
                     20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
                     87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
                     24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
                     98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
                     cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
                     8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
                     d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
                     f5:1d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
             X509v3 Authority Key Identifier:
                 keyid:9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
 
             X509v3 Basic Constraints:
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
          4c:96:41:e8:ff:d8:79:e0:db:22:ec:a2:10:1b:c0:88:f3:83:
          60:b1:2d:91:06:15:a4:96:4a:9a:fb:3c:39:a4:48:04:a9:55:
          1b:b5:c2:c8:08:e0:70:d7:03:c5:e1:1d:f7:0c:3d:38:49:aa:
          9b:85:1f:d2:6b:61:f5:10:9a:c7:0a:ff:34:a4:e9:d5:0b:cd:
          2a:90:84:07:ac:74:7f:d9:e1:dd:33:dd:ae:8c:5a:61:ec:20:
          d3:6e:7c:e5:be:46:94:b4:bc:da:54:80:12:28:5b:12:80:a1:
          ad:86:6a:f9:dc:1f:f8:a5:cb:ab:2a:30:5d:f8:19:9f:e8:82:
          9b:32:b7:cc:d5:f9:7d:3b:35:51:8b:a5:39:e3:71:84:37:09:
          20:e0:d9:6c:6f:37:76:49:3a:01:ea:ce:8b:71:74:fe:29:2c:
          84:3d:3b:9e:6c:50:64:53:36:90:6e:49:ce:40:fd:80:c7:25:
          31:d5:49:42:0f:c7:37:9a:9e:99:6b:37:3e:9a:71:a7:a2:87:
          19:1d:a3:44:48:b8:c3:65:c1:55:b2:0c:57:e8:0f:a6:f2:a5:
          b4:d3:50:04:fe:fd:86:2c:c2:0a:c2:20:aa:81:26:48:34:3a:
          3d:a6:2e:1b:eb:d7:b9:f1:a2:ad:7a:42:37:81:63:02:ac:3b:
          e6:01:6b:10

View the signing request of a certificate (CSR)

 openssl req -text -noout -verify -in MY_CSR.csr

Resulting output:

 verify OK
 Certificate Request:
     Data:
         Version: 0 (0x0)
         Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
                     00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
                     f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
                     ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
                     e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
                     82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
                     68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
                     9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
                     9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
                     3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
                     20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
                     87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
                     24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
                     98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
                     cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
                     8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
                     d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
                     f5:1d
                 Exponent: 65537 (0x10001)
         Attributes:
             challengePassword        :my_password
             unstructuredName         :TelcoBridges
     Signature Algorithm: sha256WithRSAEncryption
          85:98:17:25:45:42:f6:44:f0:51:ca:42:32:92:e6:0e:a6:9d:
          59:73:1c:82:c6:9b:c1:b7:17:00:77:f3:42:52:86:d6:08:a8:
          30:99:02:41:c6:c2:22:b2:98:b9:f7:83:b9:b0:ab:5b:59:95:
          9c:32:3b:9b:15:1c:4c:90:d1:bb:cf:fb:85:c4:5d:df:df:9e:
          18:1b:f8:5b:b5:68:60:0f:d8:c6:5d:29:0c:54:b3:63:88:0c:
          05:59:34:ad:c0:11:5b:e9:fb:e8:8c:c1:b5:5f:83:60:78:05:
          b7:7e:66:d7:1a:59:5a:2e:b3:9c:c2:38:68:29:bf:44:51:da:
          c9:2b:c3:f1:47:3c:d4:ce:4a:b2:8f:7d:6a:72:46:13:a8:97:
          18:7e:bf:b0:33:14:ee:61:ed:94:c6:c0:19:92:14:2d:a0:8c:
          b1:a2:c1:61:40:62:90:7c:64:09:52:ec:b6:fd:cb:fe:56:3f:
          6e:de:e3:38:93:ee:e4:26:33:59:6c:3f:4f:36:87:de:96:4d:
          c4:bd:ce:35:b2:79:16:38:f5:84:c8:ce:4a:27:11:6b:4b:0d:
          9b:9f:dd:63:87:ca:23:12:8c:64:3b:c7:f0:46:e8:bd:e0:e7:
          35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a:
          70:4d:a6:d1

Check that a certificate and a CSR match the private key

 openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5
 openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5
 openssl req -noout -modulus -in MY_CSR.csr | openssl md5

All 3 commands should display the same MD5 hash:

 (stdin)= 41c46eddc15580673fe4adb8f5255634
Personal tools