Toolpack:Certificates
From TBwiki
Revision as of 21:30, 10 February 2020 by Luc Morissette (Talk | contribs)
This page provides useful shell commands and instructions to create and manipulate certificates with ProSBC.
Installing a custom private key and local certificate on ProSBC
See WEB Portal configuration documentation
Use ProSBC (or Linux) shell to manipulate certificates
You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).
Create new private key
openssl genrsa -aes256 -out MY_PRIVATE_KEY.pem 2048
You will be prompted to enter a pass phrase:
Generating RSA private key, 2048 bit long modulus .....................+++ ..............................+++ e is 65537 (0x10001) Enter pass phrase for MY_PRIVATE_KEY.pem: Verifying - Enter pass phrase for MY_PRIVATE_KEY.pem:
Resulting file:
-rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem
Create a self-signed certificate from a private key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt
You will be prompted to answer questions regarding the certificate:
Generating a 2048 bit RSA private key .........................................................+++ ........................................................................................................................................................................................+++ writing new private key to 'MY_PRIVATE_KEY.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Quebec Locality Name (eg, city) [Default City]:Boucherville Organization Name (eg, company) [Default Company Ltd]:TelcoBridges Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MySBC Email Address []:support@telcobridges.com
Resulting files:
-rw-r--r-- 1 root root 1415 Mar 14 09:15 MY_CERTIFICATE.crt -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem
Create a CSR (certificate signing request) from a private key
openssl req -key MY_PRIVATE_KEY.pem -new -out MY_CSR.csr
You will be prompted to answer questions regarding the certificate:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CA State or Province Name (full name) []:Quebec Locality Name (eg, city) [Default City]:Boucherville Organization Name (eg, company) [Default Company Ltd]:TelcoBridges Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:MySBC Email Address []:support@telcobridges.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:my_password An optional company name []:TelcoBridges
Resulting files:
-rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr
View the contents of the certificate
openssl x509 -noout -text -in MY_CERTIFICATE.crt
Resulting output:
Certificate: Data: Version: 3 (0x2) Serial Number: f3:fc:c5:72:ea:a9:50:a6 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com Validity Not Before: Mar 14 13:15:53 2019 GMT Not After : Mar 13 13:15:53 2020 GMT Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47: 00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3: f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b: ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5: e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5: 82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08: 68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8: 9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3: 9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc: 3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16: 20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1: 87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27: 24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2: 98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3: cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f: 8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82: d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14: f5:1d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25 X509v3 Authority Key Identifier: keyid:9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 4c:96:41:e8:ff:d8:79:e0:db:22:ec:a2:10:1b:c0:88:f3:83: 60:b1:2d:91:06:15:a4:96:4a:9a:fb:3c:39:a4:48:04:a9:55: 1b:b5:c2:c8:08:e0:70:d7:03:c5:e1:1d:f7:0c:3d:38:49:aa: 9b:85:1f:d2:6b:61:f5:10:9a:c7:0a:ff:34:a4:e9:d5:0b:cd: 2a:90:84:07:ac:74:7f:d9:e1:dd:33:dd:ae:8c:5a:61:ec:20: d3:6e:7c:e5:be:46:94:b4:bc:da:54:80:12:28:5b:12:80:a1: ad:86:6a:f9:dc:1f:f8:a5:cb:ab:2a:30:5d:f8:19:9f:e8:82: 9b:32:b7:cc:d5:f9:7d:3b:35:51:8b:a5:39:e3:71:84:37:09: 20:e0:d9:6c:6f:37:76:49:3a:01:ea:ce:8b:71:74:fe:29:2c: 84:3d:3b:9e:6c:50:64:53:36:90:6e:49:ce:40:fd:80:c7:25: 31:d5:49:42:0f:c7:37:9a:9e:99:6b:37:3e:9a:71:a7:a2:87: 19:1d:a3:44:48:b8:c3:65:c1:55:b2:0c:57:e8:0f:a6:f2:a5: b4:d3:50:04:fe:fd:86:2c:c2:0a:c2:20:aa:81:26:48:34:3a: 3d:a6:2e:1b:eb:d7:b9:f1:a2:ad:7a:42:37:81:63:02:ac:3b: e6:01:6b:10
View the signing request of a certificate (CSR)
openssl req -text -noout -verify -in MY_CSR.csr
Resulting output:
verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/emailAddress=support@telcobridges.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47: 00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3: f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b: ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5: e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5: 82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08: 68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8: 9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3: 9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc: 3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16: 20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1: 87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27: 24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2: 98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3: cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f: 8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82: d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14: f5:1d Exponent: 65537 (0x10001) Attributes: challengePassword :my_password unstructuredName :TelcoBridges Signature Algorithm: sha256WithRSAEncryption 85:98:17:25:45:42:f6:44:f0:51:ca:42:32:92:e6:0e:a6:9d: 59:73:1c:82:c6:9b:c1:b7:17:00:77:f3:42:52:86:d6:08:a8: 30:99:02:41:c6:c2:22:b2:98:b9:f7:83:b9:b0:ab:5b:59:95: 9c:32:3b:9b:15:1c:4c:90:d1:bb:cf:fb:85:c4:5d:df:df:9e: 18:1b:f8:5b:b5:68:60:0f:d8:c6:5d:29:0c:54:b3:63:88:0c: 05:59:34:ad:c0:11:5b:e9:fb:e8:8c:c1:b5:5f:83:60:78:05: b7:7e:66:d7:1a:59:5a:2e:b3:9c:c2:38:68:29:bf:44:51:da: c9:2b:c3:f1:47:3c:d4:ce:4a:b2:8f:7d:6a:72:46:13:a8:97: 18:7e:bf:b0:33:14:ee:61:ed:94:c6:c0:19:92:14:2d:a0:8c: b1:a2:c1:61:40:62:90:7c:64:09:52:ec:b6:fd:cb:fe:56:3f: 6e:de:e3:38:93:ee:e4:26:33:59:6c:3f:4f:36:87:de:96:4d: c4:bd:ce:35:b2:79:16:38:f5:84:c8:ce:4a:27:11:6b:4b:0d: 9b:9f:dd:63:87:ca:23:12:8c:64:3b:c7:f0:46:e8:bd:e0:e7: 35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a: 70:4d:a6:d1
Check that a certificate and a CSR match the private key
openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5 openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5 openssl req -noout -modulus -in MY_CSR.csr | openssl md5
All 3 commands should display the same MD5 hash:
(stdin)= 41c46eddc15580673fe4adb8f5255634