Contents
Intro
SSL Pitfalls
* Processing overhead
– Use: cryptographic acceleration hardware, load balancing
* Keys in the clear
– Lock down environment
* Compromised server credentials
– Use: CRL (Certificate Revocation List)
* Inadequate entropy (higher the entropy, the more difficult to guess)
– Use entropy larger than 64 bits
* Insecure cryptography
– Use SSLv3 protocol
– Use RC4, 3DES, AES algorithm
OpenSSL Overview
* Started as SSLeay by Eric A. Young and Tim J. Hudson in 1995
* First release in 1998 as 0.9.1c
* Contains two tool kits
# Cryptography library
– Symmetric key algorithms
– Public key algorithms
– Hash algorithms
– Message digests
# SSL toolkit
– Implements all versions of SSL protocol including TLSv1
Config file
* Only three commands use config file (ca, req, x509)
Specify passwords or pass phrases in command line
* stdin
* pass:
* file:
* fd:
Seeding PRNG (Pseudo Random Number Generator)
* Preferred: EGADS (Entropy Gathering And Distribution System) at http://www.securesw.com/egads/.
Message Digest
Supported Message Digest Algorithms
Recommended
* SHA1 (DSS1)
* RIPEMD-160 (rmd160)
Not recommended
* MD2
* MD4
* MD5
* MDC2
Examples
* Compute SHA1 hash for myfile.txt * Write result to stdout: openssl dgst -sha1 myfile.txt * Compute SHA1 hash for myfile.txt * Write result to myfile_digest.txt file openssl sha1 -out myfile_digest.txt myfile.txt * Compute SHA1 hash for myfile.txt * Sign with private key stored in dsakey.pem file * Write signature to myfile_dsasign.bin file openssl dgst -dss1 -sign dsakey.pem -out myfile_dsasign.bin myfile.txt * Verify myfile.txt signature stored in myfile_dsasign.bin * With SHA1 algorithm * With private key stored in dsakey.pem file openssl dgst -dss1 -prverify dsakey.pem -signature myfile_dsasign.bin myfile.txt * Compute SHA1 hash for myfile.txt * Sign with RSA private key stored in rsaprivate.pem file * Write signature to myfile_rsasign.bin file openssl sha1 -sign rsaprivate.pem -out myfile_rsasign.bin myfile.txt * Verify myfile.txt signature stored in myfile_rsasign.bin * With SHA1 alorithm * With public key stored in rsapublic.pem file openssl sha1 -verify rsapublic.pem -signature myfile_rsasign.bin myfile.txt
Symmetric Ciphers
Supported ciphers
* Blowfish
* CAST5
* DES
* 3DES
* IDEA
* RC2
* RC4
* RC5
* AES
Supported modes
* CBC (default)
* CFB
* ECB
* OFB
Public Key Cryptography
RSA
Benifits
* Handles secrecy, authentication, and encryption
* Does not require parameters to be generated before keys can be generated
Commands
genrsa
* Generate new RSA private key
* Private key is unencrypted by default but can be encrypted by DES, 3DES, IDEA
* Recommended key sizes: 1024 or 2048
* Generate a 1024 bit RSA private key and store it in rsaprivatekey.pem file * Encrypt private key with 3DES algorithm with the password secret openssl genrsa -out rsaprivatekey.pem -passout pass:secret -des3 1024 Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ........................................................................++++++ .++++++ e is 65537 (0x10001)
rsa
* Used to examine and manipulate RSA keys
* display/add/modify/remove/encrypt private keys
* Produce public key from private key
* Reads private key in rsaprivatekey.pem file * Decrypt private key with password secret * Writes public key to rsapublickey.pem file openssl rsa -in rsaprivatekey.pem -passin pass:secret -pubout -out rsapublickey.pem writing RSA key
rsautl
* Use an RSA key pair to encrypt/decrypt and sign/verify
* Encrypt myfile.txt file * Using public key from rsapublickey.pem file * Write encrypted text to myfile_cipher.txt file openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in myfile.txt -out myfile_cipher.txt Loading 'screen' into random state - done * Decrypt myfile_cipher.txt file * Using private key from rsaprivatekey.pem file * Write decrypted text to myfile_decipher.txt openssl rsautl -decrypt -inkey rsaprivatekey.pem -in myfile_cipher.txt -out myfile_decipher.txt Loading 'screen' into random state - done Enter pass phrase for rsaprivatekey.pem: * Sign myfile.txt * Using private key from rsaprivatekey.pem * Write signature to myfile_signature.bin file openssl rsautl -sign -inkey rsaprivatekey.pem -in myfile.txt -out myfile_signature.bin Loading 'screen' into random state - done Enter pass phrase for rsaprivatekey.pem: * Verify myfile_signature.bin file * Using public key from rsapublickey.pem * Write verified, unsigned data to myfile_verify.txt file openssl rsautl -verify -pubin -inkey rsapublickey.pem -in myfile_signature.bin -out myfile_verify.txt Loading 'screen' into random state - done
S/MIME vs. PGP
S/MIME uses PKI while PGP not.
PKI: Public Key Infrastructure
Certificate
* Binds a public key to a distinguished name
* Most likely uses X.509 format
* Has a issuer unique serial number
* Has expiration date
* Is signed with issuer’s private key
* Can be verified with issuer’s public key
X.509v3 Certificate Extensions
* Defines 14 extensions
* Only four of the fourteen extensions are well documented and widely used
CA: Certificate Authorities
* A company or organization that issues certificates
Private CA
Public CA
Install
Build and install in Unix
$ ./config $ make $ make test # Optional. $ su # "make install" needs root access # make install
* Installed location (Solaris): /usr/local/ssl
Install in Linux using yum
yum install openssl*
Install in Windows
* Download and install Visual C++ 2008 Redistributables
* Download Win 32 OpenSSL, e.g. Win32OpenSSL-1_0_0d.exe
– Double click to start installer
– Accept all defaults except:
~ Copy OpenSSL DLLs to: The OpenSSL binaries(/bin) directory
Setup CA
Create CA Environment
* Unix
mkdir /opt/exampleca cd /opt/exampleca mkdir certs private chmod g-rwx,o-rwx private echo '01' > serial touch index.txt
* Windows
mkdir C:\OpenSSL\exampleca cd C:\OpenSSL\exampleca mkdir certs mkdir private echo 01 > serial type nul > index.txt
Create a config file
*Create a config file named: openssl.conf
* Windows example:
[ ca ] default_ca = exampleca [ exampleca ] dir = C:/OpenSSL/exampleca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = exampleca_policy x509_extensions = certificate_extensions [ exampleca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = C:/OpenSSL/exampleca/private/cakey.pem default_md = md5 prompt = yes distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = www.exampleca.com stateOrProvinceName = Virginia countryName = US emailAddress = ca@exampleca.com organizationName = Example CA commonName_default = Example CA stateOrProvinceName_default = Virginia countryName_default = US emailAddress_default = ca@exampleca.com organizationName_default = Example CA
* Unix example is same except directory names are different:
... dir = /opt/exampleca ... default_keyfile = /opt/exampleca/private/cakey.pem
* Set OPENSSL_CONF env var
Unix:
export OPENSSL_CONF=/opt/exampleca/openssl.conf
Windows:
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf
* Alternatively, use config=/opt/exampleca/openssl.conf on the command line
Generate a self signed root certificate
# Set config file to exampleca openssl.cof set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf # Use -days to specify validity days openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM
* Sample output
C:\OpenSSL\exampleca>openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM Loading 'screen' into random state - done Generating a 2048 bit RSA private key ....................+++ ..................................................................................................+++ writing new private key to 'C:/OpenSSL/exampleca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- commonName, e.g. www.exampleca.com [Example CA]: stateOrProvinceName, e.g. Virginia [Virginia]: countryName, e.g. US [US]: emailAddress, e.g ca@exampleca.com [ca@exampleca.com]: organizationName, e.g. Example CA [Example CA]:
List root certificate
openssl x509 -in cacert.pem -text -noout
* Sample output:
C:\OpenSSL\exampleca>openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fc:ca:2a:ca:4c:b5:cc:1a
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:15:17 2011 GMT
Not After : Jul 27 15:15:17 2011 GMT
Subject: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:7c:ef:57:28:26:0d:ef:b2:da:b4:11:fa:e6:
e7:71:ae:ba:58:fc:3a:07:17:3c:22:06:4a:90:b9:
5f:ef:72:1d:c2:85:8d:57:34:43:3e:f8:5f:54:47:
35:a6:97:37:8d:41:64:f2:eb:df:be:7e:a4:52:7f:
3e:2f:73:da:bb:da:7a:21:a9:fa:be:99:9e:8b:8d:
49:05:08:01:3f:c0:ff:37:0f:e2:14:66:9f:41:d5:
74:ed:6e:df:6a:58:4f:6d:ee:67:67:71:be:38:8e:
1e:90:e7:28:6d:4c:10:b7:c2:91:a9:35:a4:f7:c5:
bc:0c:69:59:1f:26:7d:a3:76:e1:be:5f:b1:f5:89:
bf:76:66:c3:21:f1:a9:97:b7:27:5c:81:56:57:2b:
ce:91:7d:64:43:49:c1:da:af:44:d3:fb:c0:04:8c:
46:44:ea:66:d5:fa:6b:37:18:d2:f5:4b:b4:36:6b:
d3:69:c0:fc:70:b5:2a:78:35:44:3d:68:e6:9f:22:
79:6b:fd:f5:db:87:38:98:15:56:b4:00:e2:4b:01:
28:69:53:1c:3e:60:2b:a2:52:3c:3b:6d:10:b7:b9:
7e:b0:cd:e9:38:f8:4b:98:8f:aa:ee:b9:06:e4:c0:
66:f5:fd:39:09:fd:f7:8f:1e:88:e0:57:51:e5:53:
d7:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
1e:bf:b8:67:1a:53:96:23:1e:91:85:2e:ab:58:86:c9:1e:6d:
12:a1:53:a7:e9:1d:37:2c:e3:6b:67:44:b5:ef:8f:58:fc:4f:
60:cb:d6:ad:d9:e0:ac:a1:d9:11:f5:fd:83:76:1e:3c:25:23:
f1:c7:ce:b6:ef:18:91:02:a3:f3:5d:b0:7b:23:22:06:d1:b6:
b1:20:61:4c:a7:be:03:58:94:0c:4f:df:fd:d4:01:63:e9:12:
cb:95:97:58:c1:cb:60:15:4e:dd:38:89:d7:25:40:ab:c0:ff:
71:15:ab:9c:6d:5d:3f:2b:4f:20:5f:a5:79:33:63:2c:79:0e:
9c:1e:9c:f7:2a:16:ae:74:78:2b:67:54:48:ad:d9:13:bf:c4:
23:0d:8e:da:79:a0:e5:d1:11:29:a8:21:b3:a4:3b:91:93:22:
fe:2e:bf:d8:42:64:01:66:05:93:39:bb:23:88:04:bf:3d:93:
ec:78:b6:dc:16:5c:ec:f6:6f:0c:ab:49:7b:78:e5:fb:93:fa:
c8:c1:27:e7:f3:ed:f3:32:dc:80:82:0f:7a:bd:c1:63:0e:48:
a6:dd:8b:b0:97:d2:62:94:ab:90:25:57:06:39:6d:3c:57:49:
98:68:d0:0b:95:bf:42:a1:8a:5c:4a:13:e5:ba:e0:4c:54:b6:
dc:95:8b:37
Generate a certificate request
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf openssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM
* Sample output
C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM Loading 'screen' into random state - done Generating a 1024 bit RSA private key ......................................................................................++++++ .......................................++++++ writing new private key to 'sample_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- commonName, e.g. www.exampleca.com [Example CA]:localhost stateOrProvinceName, e.g. Virginia [Virginia]: countryName, e.g. US [US]: emailAddress, e.g ca@exampleca.com [ca@exampleca.com]: organizationName, e.g. Example CA [Example CA]:
List certificate request
* Command
openssl req -in sample_req.pem -text -noout
* Sample output
C:\OpenSSL\exampleca>openssl req -in sample_req.pem -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
26:93:63:3b:13:f2:91:c0:df:df:c8:dd:ef:0f:f8:c4:ab:7b:
6b:5f:5b:80:13:e0:2b:f0:e9:e2:b6:83:7d:36:fd:81:61:55:
93:68:d5:0e:85:a3:68:e4:ff:e5:a2:43:56:c0:75:62:2f:d3:
eb:a7:51:ba:ce:39:23:e4:fc:ff:90:4e:89:53:54:32:99:66:
00:0c:16:22:7d:b2:34:32:9b:75:02:5f:e2:21:90:4b:71:9d:
00:9e:50:49:22:66:74:88:72:55:51:a6:d3:4d:a6:01:77:25:
be:46:cb:9f:b2:b1:ac:34:3e:f5:ad:b6:6a:50:81:af:da:4e:
73:7a
Sign a certificate request
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf openssl ca -in sample_req.pem
* Sample output
C:\OpenSSL\exampleca>openssl ca -in sample_req.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'localhost'
stateOrProvinceName :PRINTABLE:'Virginia'
countryName :PRINTABLE:'US'
emailAddress :IA5STRING:'ca@exampleca.com'
organizationName :PRINTABLE:'Example CA'
Certificate is to be certified until Jun 26 15:25:03 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:25:03 2011 GMT
Not After : Jun 26 15:25:03 2012 GMT
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:
31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:
78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:
b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:
52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:
1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:
25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:
0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:
3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:
59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:
3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:
60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:
6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:
bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:
7d:ba:e9:ac
-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt
cGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG
9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN
MTEwNjI3MTUyNTAzWhcNMTIwNjI2MTUyNTAzWjBqMRIwEAYDVQQDEwlsb2NhbGhv
c3QxETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJ
ARYQY2FAZXhhbXBsZWNhLmNvbTETMBEGA1UEChMKRXhhbXBsZSBDQTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAmZcz3SOhfwUw7k2JQOWpnczc0R7eIpHighUE
5Qoy9oi+RPpi3O/vHXFoZxdm/uhZK8NpN0gKseICJVN3AhzuQiHFO2ib9N4T/VQ1
q/fcf+dk9+5jP0nKa/6JKMezn4U7Uh7y6E5mifzKoMUBEOhKPgOY7hB3SLmkVEwD
ZRPQrgECAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAYqQK
eTq/L/k8Jt8rOJ6N+I+oMW6aDipP/seys7EmipfNQ0YDeOvAR8vbYN4q0K5w8RYW
qwChuHoKvHhIqXM01XSQSbpuCqmUUng/uvEr0rPfbB136IpVXYEEHaaCmYgm7zfx
cfkFw72JfgweJWGt1kYm1WdTAXQIWBnMXf1kDhfoeNFHuMdIhqXa97WNyQD/PJ5c
I59szSHzdj4pjz3XxJOwWd2UwMBldPEyf6nkQDoR9yjEPoUH878heGB7b5t/SzkR
OE8FYANAS27NtiHqyyPa9ydVNGJ/brUlxWAkCwumZ2bdnIvor7sAvz6lGxE/3rUm
a6+zrntIzqyIfbrprA==
-----END CERTIFICATE-----
Data Base Updated
* Cert generated in the exampleca\certs subdirectory.
C:\OpenSSL\exampleca>dir certs
Directory of C:\OpenSSL\exampleca\certs
06/27/2011 11:25 AM 3,281 sample_cert.pem
1 File(s) 3,281 bytes
* Rename signed cert if needed
C:\OpenSSL\exampleca>cd certs
C:\OpenSSL\exampleca\certs>rename sample_cert.pem sample_cert.pem
C:\OpenSSL\exampleca\certs>dir
Directory of C:\OpenSSL\exampleca\certs
06/27/2011 11:25 AM 3,281 sample_cert.pem
1 File(s) 3,281 bytes
List Sample Cert
openssl x509 -in certs\sample_cert.pem -text -noout
* Sample output
C:\OpenSSL\exampleca>openssl x509 -in certs\sample_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:25:03 2011 GMT
Not After : Jun 26 15:25:03 2012 GMT
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:
31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:
78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:
b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:
52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:
1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:
25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:
0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:
3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:
59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:
3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:
60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:
6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:
bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:
7d:ba:e9:ac
Revoke a certificate
openssl ca -revoke certs\sample_cert.pem
* Sample output
C:\OpenSSL\exampleca>openssl ca -revoke certs\sample_cert.pem Using configuration from C:\OpenSSL\exampleca\openssl.conf Loading 'screen' into random state - done Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem: Revoking Certificate 01. Data Base Updated
Generate CRL
openssl ca -gencrl -out exampleca.crl
* Sample output
C:\OpenSSL\exampleca>openssl ca -gencrl -out exampleca.crl
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
C:\OpenSSL\exampleca>dir *.crl
Directory of C:\OpenSSL\exampleca
06/27/2011 11:37 AM 670 exampleca.crl
1 File(s) 670 bytes
* List CRL file
C:\OpenSSL\exampleca>openssl crl -in exampleca.crl -text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /CN=Example CA/ST=Virginia/C=US/emailAddress=ca@exampleca.com/O=Example CA
Last Update: Jun 27 15:37:57 2011 GMT
Next Update: Jul 4 15:37:57 2011 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: Jun 27 15:37:12 2011 GMT
Signature Algorithm: md5WithRSAEncryption
04:b6:e9:66:75:e6:2d:18:61:37:4a:4d:f2:0e:99:a3:49:55:
ed:d6:ff:f1:5a:f8:35:5b:a4:6e:be:6b:6a:74:e9:2a:70:08:
07:73:57:a5:16:e7:80:af:d0:e8:5d:8f:3d:6b:86:66:9a:cb:
ed:24:17:c5:40:8c:00:72:56:b9:9b:bb:51:c3:a3:0e:fc:37:
82:e3:22:7b:de:05:d5:00:31:a5:0a:65:0d:54:50:83:4c:6a:
6e:82:a8:d8:f5:37:6a:af:9b:5d:75:cb:64:be:99:1d:29:a2:
12:84:c3:b5:0a:48:a8:cf:3e:07:10:7a:93:30:64:a6:d3:3c:
5a:03:41:4a:0b:01:da:71:10:97:c5:d1:b2:89:a7:90:59:6f:
4d:af:10:3d:97:79:56:a1:ef:e0:80:b0:0f:f8:10:69:41:77:
03:1d:66:bd:01:50:2f:f4:4a:0e:7a:eb:53:a6:3d:cd:43:fa:
17:55:e9:9d:74:b7:e7:0b:2d:95:5b:5d:26:84:20:bf:89:e7:
8d:00:14:96:70:46:91:1d:8f:7c:00:bd:45:ea:1d:58:20:28:
4e:c3:27:69:48:d7:09:6c:9e:13:1e:03:f0:5c:71:fd:72:a8:
d9:6b:bf:ba:57:29:ea:c6:f6:8c:db:dd:3d:cd:80:ca:6e:31:
bf:de:50:36
* Verify that CRL file is valid with CA public key
C:\OpenSSL\exampleca>openssl crl -in exampleca.crl -noout -CAfile cacert.pem verify OK
Update DB
openssl ca -updatedb
* Sample output
C:\OpenSSL\exampleca>openssl ca -updatedb Using configuration from C:\OpenSSL\exampleca\openssl.conf Loading 'screen' into random state - done Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
References
* OpenSSL Docs
* Network Security with OpenSSL by John Viega; Matt Messier; Pravir Chandra
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure by Russ Housley and Tim Polk ( John Wiley & Sons).
* OpenSSL Command-Line HOWTO
15 Responses to OpenSSL