Toolpack:Certificates
From TBwiki
(Difference between revisions)
m (changed passphrase to pass phrase to match openssl) |
(Updated des3 (not secure) to aes256) |
||
| (2 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | This page provides useful shell commands and instructions to create and manipulate certificates with | + | This page provides useful shell commands and instructions to create and manipulate certificates with ProSBC. |
| − | == Installing a custom private key and local certificate on | + | == Installing a custom private key and local certificate on ProSBC == |
[[Create_A_SIP_Certificate_A#Upload_local_certificates_.28optional.29|See WEB Portal configuration documentation]] | [[Create_A_SIP_Certificate_A#Upload_local_certificates_.28optional.29|See WEB Portal configuration documentation]] | ||
| − | == Use | + | == Use ProSBC (or Linux) shell to manipulate certificates == |
| − | You can use | + | You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests). |
=== Create new private key === | === Create new private key === | ||
| − | openssl genrsa - | + | openssl genrsa -aes256 -out MY_PRIVATE_KEY.pem 2048 |
You will be prompted to enter a pass phrase: | You will be prompted to enter a pass phrase: | ||
| Line 20: | Line 20: | ||
Resulting file: | Resulting file: | ||
| − | -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY. | + | -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem |
=== Create a self-signed certificate from a private key === | === Create a self-signed certificate from a private key === | ||
| − | openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY. | + | openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt |
You will be prompted to answer questions regarding the certificate: | You will be prompted to answer questions regarding the certificate: | ||
| Line 29: | Line 29: | ||
.........................................................+++ | .........................................................+++ | ||
........................................................................................................................................................................................+++ | ........................................................................................................................................................................................+++ | ||
| − | writing new private key to 'MY_PRIVATE_KEY. | + | writing new private key to 'MY_PRIVATE_KEY.pem' |
----- | ----- | ||
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| Line 43: | Line 43: | ||
Organization Name (eg, company) [Default Company Ltd]:TelcoBridges | Organization Name (eg, company) [Default Company Ltd]:TelcoBridges | ||
Organizational Unit Name (eg, section) []: | Organizational Unit Name (eg, section) []: | ||
| − | Common Name (eg, your name or your server's hostname) []: | + | Common Name (eg, your name or your server's hostname) []:MySBC |
Email Address []:support@telcobridges.com | Email Address []:support@telcobridges.com | ||
| Line 51: | Line 51: | ||
=== Create a CSR (certificate signing request) from a private key === | === Create a CSR (certificate signing request) from a private key === | ||
| − | openssl req -key MY_PRIVATE_KEY. | + | openssl req -key MY_PRIVATE_KEY.pem -new -out MY_CSR.csr |
You will be prompted to answer questions regarding the certificate: | You will be prompted to answer questions regarding the certificate: | ||
You are about to be asked to enter information that will be incorporated | You are about to be asked to enter information that will be incorporated | ||
| Line 65: | Line 65: | ||
Organization Name (eg, company) [Default Company Ltd]:TelcoBridges | Organization Name (eg, company) [Default Company Ltd]:TelcoBridges | ||
Organizational Unit Name (eg, section) []: | Organizational Unit Name (eg, section) []: | ||
| − | Common Name (eg, your name or your server's hostname) []: | + | Common Name (eg, your name or your server's hostname) []:MySBC |
Email Address []:support@telcobridges.com | Email Address []:support@telcobridges.com | ||
| Line 86: | Line 86: | ||
f3:fc:c5:72:ea:a9:50:a6 | f3:fc:c5:72:ea:a9:50:a6 | ||
Signature Algorithm: sha256WithRSAEncryption | Signature Algorithm: sha256WithRSAEncryption | ||
| − | Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN= | + | Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com |
Validity | Validity | ||
Not Before: Mar 14 13:15:53 2019 GMT | Not Before: Mar 14 13:15:53 2019 GMT | ||
Not After : Mar 13 13:15:53 2020 GMT | Not After : Mar 13 13:15:53 2020 GMT | ||
| − | Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN= | + | Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com |
Subject Public Key Info: | Subject Public Key Info: | ||
Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
| Line 147: | Line 147: | ||
Data: | Data: | ||
Version: 0 (0x0) | Version: 0 (0x0) | ||
| − | Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN= | + | Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com |
Subject Public Key Info: | Subject Public Key Info: | ||
Public Key Algorithm: rsaEncryption | Public Key Algorithm: rsaEncryption | ||
| Line 193: | Line 193: | ||
=== Check that a certificate and a CSR match the private key === | === Check that a certificate and a CSR match the private key === | ||
openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5 | openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5 | ||
| − | openssl rsa -noout -modulus -in MY_PRIVATE_KEY. | + | openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5 |
openssl req -noout -modulus -in MY_CSR.csr | openssl md5 | openssl req -noout -modulus -in MY_CSR.csr | openssl md5 | ||
All 3 commands should display the same MD5 hash: | All 3 commands should display the same MD5 hash: | ||
(stdin)= 41c46eddc15580673fe4adb8f5255634 | (stdin)= 41c46eddc15580673fe4adb8f5255634 | ||
Latest revision as of 21:30, 10 February 2020
This page provides useful shell commands and instructions to create and manipulate certificates with ProSBC.
Installing a custom private key and local certificate on ProSBC
See WEB Portal configuration documentation
Use ProSBC (or Linux) shell to manipulate certificates
You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).
Create new private key
openssl genrsa -aes256 -out MY_PRIVATE_KEY.pem 2048
You will be prompted to enter a pass phrase:
Generating RSA private key, 2048 bit long modulus .....................+++ ..............................+++ e is 65537 (0x10001) Enter pass phrase for MY_PRIVATE_KEY.pem: Verifying - Enter pass phrase for MY_PRIVATE_KEY.pem:
Resulting file:
-rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem
Create a self-signed certificate from a private key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt
You will be prompted to answer questions regarding the certificate:
Generating a 2048 bit RSA private key .........................................................+++ ........................................................................................................................................................................................+++ writing new private key to 'MY_PRIVATE_KEY.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Quebec Locality Name (eg, city) [Default City]:Boucherville Organization Name (eg, company) [Default Company Ltd]:TelcoBridges Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MySBC Email Address []:support@telcobridges.com
Resulting files:
-rw-r--r-- 1 root root 1415 Mar 14 09:15 MY_CERTIFICATE.crt -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem
Create a CSR (certificate signing request) from a private key
openssl req -key MY_PRIVATE_KEY.pem -new -out MY_CSR.csr
You will be prompted to answer questions regarding the certificate:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Quebec Locality Name (eg, city) [Default City]:Boucherville Organization Name (eg, company) [Default Company Ltd]:TelcoBridges Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MySBC Email Address []:support@telcobridges.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:my_password An optional company name []:TelcoBridges
Resulting files:
-rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr
View the contents of the certificate
openssl x509 -noout -text -in MY_CERTIFICATE.crt
Resulting output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f3:fc:c5:72:ea:a9:50:a6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
Validity
Not Before: Mar 14 13:15:53 2019 GMT
Not After : Mar 13 13:15:53 2020 GMT
Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
f5:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
X509v3 Authority Key Identifier:
keyid:9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4c:96:41:e8:ff:d8:79:e0:db:22:ec:a2:10:1b:c0:88:f3:83:
60:b1:2d:91:06:15:a4:96:4a:9a:fb:3c:39:a4:48:04:a9:55:
1b:b5:c2:c8:08:e0:70:d7:03:c5:e1:1d:f7:0c:3d:38:49:aa:
9b:85:1f:d2:6b:61:f5:10:9a:c7:0a:ff:34:a4:e9:d5:0b:cd:
2a:90:84:07:ac:74:7f:d9:e1:dd:33:dd:ae:8c:5a:61:ec:20:
d3:6e:7c:e5:be:46:94:b4:bc:da:54:80:12:28:5b:12:80:a1:
ad:86:6a:f9:dc:1f:f8:a5:cb:ab:2a:30:5d:f8:19:9f:e8:82:
9b:32:b7:cc:d5:f9:7d:3b:35:51:8b:a5:39:e3:71:84:37:09:
20:e0:d9:6c:6f:37:76:49:3a:01:ea:ce:8b:71:74:fe:29:2c:
84:3d:3b:9e:6c:50:64:53:36:90:6e:49:ce:40:fd:80:c7:25:
31:d5:49:42:0f:c7:37:9a:9e:99:6b:37:3e:9a:71:a7:a2:87:
19:1d:a3:44:48:b8:c3:65:c1:55:b2:0c:57:e8:0f:a6:f2:a5:
b4:d3:50:04:fe:fd:86:2c:c2:0a:c2:20:aa:81:26:48:34:3a:
3d:a6:2e:1b:eb:d7:b9:f1:a2:ad:7a:42:37:81:63:02:ac:3b:
e6:01:6b:10
View the signing request of a certificate (CSR)
openssl req -text -noout -verify -in MY_CSR.csr
Resulting output:
verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
f5:1d
Exponent: 65537 (0x10001)
Attributes:
challengePassword :my_password
unstructuredName :TelcoBridges
Signature Algorithm: sha256WithRSAEncryption
85:98:17:25:45:42:f6:44:f0:51:ca:42:32:92:e6:0e:a6:9d:
59:73:1c:82:c6:9b:c1:b7:17:00:77:f3:42:52:86:d6:08:a8:
30:99:02:41:c6:c2:22:b2:98:b9:f7:83:b9:b0:ab:5b:59:95:
9c:32:3b:9b:15:1c:4c:90:d1:bb:cf:fb:85:c4:5d:df:df:9e:
18:1b:f8:5b:b5:68:60:0f:d8:c6:5d:29:0c:54:b3:63:88:0c:
05:59:34:ad:c0:11:5b:e9:fb:e8:8c:c1:b5:5f:83:60:78:05:
b7:7e:66:d7:1a:59:5a:2e:b3:9c:c2:38:68:29:bf:44:51:da:
c9:2b:c3:f1:47:3c:d4:ce:4a:b2:8f:7d:6a:72:46:13:a8:97:
18:7e:bf:b0:33:14:ee:61:ed:94:c6:c0:19:92:14:2d:a0:8c:
b1:a2:c1:61:40:62:90:7c:64:09:52:ec:b6:fd:cb:fe:56:3f:
6e:de:e3:38:93:ee:e4:26:33:59:6c:3f:4f:36:87:de:96:4d:
c4:bd:ce:35:b2:79:16:38:f5:84:c8:ce:4a:27:11:6b:4b:0d:
9b:9f:dd:63:87:ca:23:12:8c:64:3b:c7:f0:46:e8:bd:e0:e7:
35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a:
70:4d:a6:d1
Check that a certificate and a CSR match the private key
openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5 openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5 openssl req -noout -modulus -in MY_CSR.csr | openssl md5
All 3 commands should display the same MD5 hash:
(stdin)= 41c46eddc15580673fe4adb8f5255634
