Contents
Intro
SSL Pitfalls
* Processing overhead
– Use: cryptographic acceleration hardware, load balancing
* Keys in the clear
– Lock down environment
* Compromised server credentials
– Use: CRL (Certificate Revocation List)
* Inadequate entropy (higher the entropy, the more difficult to guess)
– Use entropy larger than 64 bits
* Insecure cryptography
– Use SSLv3 protocol
– Use RC4, 3DES, AES algorithm
OpenSSL Overview
* Started as SSLeay by Eric A. Young and Tim J. Hudson in 1995
* First release in 1998 as 0.9.1c
* Contains two tool kits
# Cryptography library
– Symmetric key algorithms
– Public key algorithms
– Hash algorithms
– Message digests
# SSL toolkit
– Implements all versions of SSL protocol including TLSv1
Config file
* Only three commands use config file (ca, req, x509)
Specify passwords or pass phrases in command line
* stdin
* pass:
* file:
* fd:
Seeding PRNG (Pseudo Random Number Generator)
* Preferred: EGADS (Entropy Gathering And Distribution System) at http://www.securesw.com/egads/.
Message Digest
Supported Message Digest Algorithms
Recommended
* SHA1 (DSS1)
* RIPEMD-160 (rmd160)
Not recommended
* MD2
* MD4
* MD5
* MDC2
Examples
* Compute SHA1 hash for myfile.txt * Write result to stdout: openssl dgst -sha1 myfile.txt * Compute SHA1 hash for myfile.txt * Write result to myfile_digest.txt file openssl sha1 -out myfile_digest.txt myfile.txt * Compute SHA1 hash for myfile.txt * Sign with private key stored in dsakey.pem file * Write signature to myfile_dsasign.bin file openssl dgst -dss1 -sign dsakey.pem -out myfile_dsasign.bin myfile.txt * Verify myfile.txt signature stored in myfile_dsasign.bin * With SHA1 algorithm * With private key stored in dsakey.pem file openssl dgst -dss1 -prverify dsakey.pem -signature myfile_dsasign.bin myfile.txt * Compute SHA1 hash for myfile.txt * Sign with RSA private key stored in rsaprivate.pem file * Write signature to myfile_rsasign.bin file openssl sha1 -sign rsaprivate.pem -out myfile_rsasign.bin myfile.txt * Verify myfile.txt signature stored in myfile_rsasign.bin * With SHA1 alorithm * With public key stored in rsapublic.pem file openssl sha1 -verify rsapublic.pem -signature myfile_rsasign.bin myfile.txt
Symmetric Ciphers
Supported ciphers
* Blowfish
* CAST5
* DES
* 3DES
* IDEA
* RC2
* RC4
* RC5
* AES
Supported modes
* CBC (default)
* CFB
* ECB
* OFB
Public Key Cryptography
RSA
Benifits
* Handles secrecy, authentication, and encryption
* Does not require parameters to be generated before keys can be generated
Commands
genrsa
* Generate new RSA private key
* Private key is unencrypted by default but can be encrypted by DES, 3DES, IDEA
* Recommended key sizes: 1024 or 2048
* Generate a 1024 bit RSA private key and store it in rsaprivatekey.pem file * Encrypt private key with 3DES algorithm with the password secret openssl genrsa -out rsaprivatekey.pem -passout pass:secret -des3 1024 Loading 'screen' into random state - done Generating RSA private key, 1024 bit long modulus ........................................................................++++++ .++++++ e is 65537 (0x10001)
rsa
* Used to examine and manipulate RSA keys
* display/add/modify/remove/encrypt private keys
* Produce public key from private key
* Reads private key in rsaprivatekey.pem file * Decrypt private key with password secret * Writes public key to rsapublickey.pem file openssl rsa -in rsaprivatekey.pem -passin pass:secret -pubout -out rsapublickey.pem writing RSA key
rsautl
* Use an RSA key pair to encrypt/decrypt and sign/verify
* Encrypt myfile.txt file * Using public key from rsapublickey.pem file * Write encrypted text to myfile_cipher.txt file openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in myfile.txt -out myfile_cipher.txt Loading 'screen' into random state - done * Decrypt myfile_cipher.txt file * Using private key from rsaprivatekey.pem file * Write decrypted text to myfile_decipher.txt openssl rsautl -decrypt -inkey rsaprivatekey.pem -in myfile_cipher.txt -out myfile_decipher.txt Loading 'screen' into random state - done Enter pass phrase for rsaprivatekey.pem: * Sign myfile.txt * Using private key from rsaprivatekey.pem * Write signature to myfile_signature.bin file openssl rsautl -sign -inkey rsaprivatekey.pem -in myfile.txt -out myfile_signature.bin Loading 'screen' into random state - done Enter pass phrase for rsaprivatekey.pem: * Verify myfile_signature.bin file * Using public key from rsapublickey.pem * Write verified, unsigned data to myfile_verify.txt file openssl rsautl -verify -pubin -inkey rsapublickey.pem -in myfile_signature.bin -out myfile_verify.txt Loading 'screen' into random state - done
S/MIME vs. PGP
S/MIME uses PKI while PGP not.
PKI: Public Key Infrastructure
Certificate
* Binds a public key to a distinguished name
* Most likely uses X.509 format
* Has a issuer unique serial number
* Has expiration date
* Is signed with issuer’s private key
* Can be verified with issuer’s public key
X.509v3 Certificate Extensions
* Defines 14 extensions
* Only four of the fourteen extensions are well documented and widely used
CA: Certificate Authorities
* A company or organization that issues certificates
Private CA
Public CA
Install
Build and install in Unix
$ ./config $ make $ make test # Optional. $ su # "make install" needs root access # make install
* Installed location (Solaris): /usr/local/ssl
Install in Linux using yum
yum install openssl*
Install in Windows
* Download and install Visual C++ 2008 Redistributables
* Download Win 32 OpenSSL, e.g. Win32OpenSSL-1_0_0d.exe
– Double click to start installer
– Accept all defaults except:
~ Copy OpenSSL DLLs to: The OpenSSL binaries(/bin) directory
Setup CA
Create CA Environment
* Unix
mkdir /opt/exampleca cd /opt/exampleca mkdir certs private chmod g-rwx,o-rwx private echo '01' > serial touch index.txt
* Windows
mkdir C:\OpenSSL\exampleca cd C:\OpenSSL\exampleca mkdir certs mkdir private echo 01 > serial type nul > index.txt
Create a config file
*Create a config file named: openssl.conf
* Windows example:
[ ca ] default_ca = exampleca [ exampleca ] dir = C:/OpenSSL/exampleca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = exampleca_policy x509_extensions = certificate_extensions [ exampleca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = C:/OpenSSL/exampleca/private/cakey.pem default_md = md5 prompt = yes distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = www.exampleca.com stateOrProvinceName = Virginia countryName = US emailAddress = ca@exampleca.com organizationName = Example CA commonName_default = Example CA stateOrProvinceName_default = Virginia countryName_default = US emailAddress_default = ca@exampleca.com organizationName_default = Example CA
* Unix example is same except directory names are different:
... dir = /opt/exampleca ... default_keyfile = /opt/exampleca/private/cakey.pem
* Set OPENSSL_CONF env var
Unix:
export OPENSSL_CONF=/opt/exampleca/openssl.conf
Windows:
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf
* Alternatively, use config=/opt/exampleca/openssl.conf on the command line
Generate a self signed root certificate
# Set config file to exampleca openssl.cof set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf # Use -days to specify validity days openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM
* Sample output
C:\OpenSSL\exampleca>openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM Loading 'screen' into random state - done Generating a 2048 bit RSA private key ....................+++ ..................................................................................................+++ writing new private key to 'C:/OpenSSL/exampleca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- commonName, e.g. www.exampleca.com [Example CA]: stateOrProvinceName, e.g. Virginia [Virginia]: countryName, e.g. US [US]: emailAddress, e.g ca@exampleca.com [ca@exampleca.com]: organizationName, e.g. Example CA [Example CA]:
List root certificate
openssl x509 -in cacert.pem -text -noout
* Sample output:
C:\OpenSSL\exampleca>openssl x509 -in cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fc:ca:2a:ca:4c:b5:cc:1a
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:15:17 2011 GMT
Not After : Jul 27 15:15:17 2011 GMT
Subject: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:7c:ef:57:28:26:0d:ef:b2:da:b4:11:fa:e6:
e7:71:ae:ba:58:fc:3a:07:17:3c:22:06:4a:90:b9:
5f:ef:72:1d:c2:85:8d:57:34:43:3e:f8:5f:54:47:
35:a6:97:37:8d:41:64:f2:eb:df:be:7e:a4:52:7f:
3e:2f:73:da:bb:da:7a:21:a9:fa:be:99:9e:8b:8d:
49:05:08:01:3f:c0:ff:37:0f:e2:14:66:9f:41:d5:
74:ed:6e:df:6a:58:4f:6d:ee:67:67:71:be:38:8e:
1e:90:e7:28:6d:4c:10:b7:c2:91:a9:35:a4:f7:c5:
bc:0c:69:59:1f:26:7d:a3:76:e1:be:5f:b1:f5:89:
bf:76:66:c3:21:f1:a9:97:b7:27:5c:81:56:57:2b:
ce:91:7d:64:43:49:c1:da:af:44:d3:fb:c0:04:8c:
46:44:ea:66:d5:fa:6b:37:18:d2:f5:4b:b4:36:6b:
d3:69:c0:fc:70:b5:2a:78:35:44:3d:68:e6:9f:22:
79:6b:fd:f5:db:87:38:98:15:56:b4:00:e2:4b:01:
28:69:53:1c:3e:60:2b:a2:52:3c:3b:6d:10:b7:b9:
7e:b0:cd:e9:38:f8:4b:98:8f:aa:ee:b9:06:e4:c0:
66:f5:fd:39:09:fd:f7:8f:1e:88:e0:57:51:e5:53:
d7:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
1e:bf:b8:67:1a:53:96:23:1e:91:85:2e:ab:58:86:c9:1e:6d:
12:a1:53:a7:e9:1d:37:2c:e3:6b:67:44:b5:ef:8f:58:fc:4f:
60:cb:d6:ad:d9:e0:ac:a1:d9:11:f5:fd:83:76:1e:3c:25:23:
f1:c7:ce:b6:ef:18:91:02:a3:f3:5d:b0:7b:23:22:06:d1:b6:
b1:20:61:4c:a7:be:03:58:94:0c:4f:df:fd:d4:01:63:e9:12:
cb:95:97:58:c1:cb:60:15:4e:dd:38:89:d7:25:40:ab:c0:ff:
71:15:ab:9c:6d:5d:3f:2b:4f:20:5f:a5:79:33:63:2c:79:0e:
9c:1e:9c:f7:2a:16:ae:74:78:2b:67:54:48:ad:d9:13:bf:c4:
23:0d:8e:da:79:a0:e5:d1:11:29:a8:21:b3:a4:3b:91:93:22:
fe:2e:bf:d8:42:64:01:66:05:93:39:bb:23:88:04:bf:3d:93:
ec:78:b6:dc:16:5c:ec:f6:6f:0c:ab:49:7b:78:e5:fb:93:fa:
c8:c1:27:e7:f3:ed:f3:32:dc:80:82:0f:7a:bd:c1:63:0e:48:
a6:dd:8b:b0:97:d2:62:94:ab:90:25:57:06:39:6d:3c:57:49:
98:68:d0:0b:95:bf:42:a1:8a:5c:4a:13:e5:ba:e0:4c:54:b6:
dc:95:8b:37
Generate a certificate request
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf openssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM
* Sample output
C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM Loading 'screen' into random state - done Generating a 1024 bit RSA private key ......................................................................................++++++ .......................................++++++ writing new private key to 'sample_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- commonName, e.g. www.exampleca.com [Example CA]:localhost stateOrProvinceName, e.g. Virginia [Virginia]: countryName, e.g. US [US]: emailAddress, e.g ca@exampleca.com [ca@exampleca.com]: organizationName, e.g. Example CA [Example CA]:
List certificate request
* Command
openssl req -in sample_req.pem -text -noout
* Sample output
C:\OpenSSL\exampleca>openssl req -in sample_req.pem -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
26:93:63:3b:13:f2:91:c0:df:df:c8:dd:ef:0f:f8:c4:ab:7b:
6b:5f:5b:80:13:e0:2b:f0:e9:e2:b6:83:7d:36:fd:81:61:55:
93:68:d5:0e:85:a3:68:e4:ff:e5:a2:43:56:c0:75:62:2f:d3:
eb:a7:51:ba:ce:39:23:e4:fc:ff:90:4e:89:53:54:32:99:66:
00:0c:16:22:7d:b2:34:32:9b:75:02:5f:e2:21:90:4b:71:9d:
00:9e:50:49:22:66:74:88:72:55:51:a6:d3:4d:a6:01:77:25:
be:46:cb:9f:b2:b1:ac:34:3e:f5:ad:b6:6a:50:81:af:da:4e:
73:7a
Sign a certificate request
set OPENSSL_CONF=C:\OpenSSL\exampleca\openssl.conf openssl ca -in sample_req.pem
* Sample output
C:\OpenSSL\exampleca>openssl ca -in sample_req.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'localhost'
stateOrProvinceName :PRINTABLE:'Virginia'
countryName :PRINTABLE:'US'
emailAddress :IA5STRING:'ca@exampleca.com'
organizationName :PRINTABLE:'Example CA'
Certificate is to be certified until Jun 26 15:25:03 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:25:03 2011 GMT
Not After : Jun 26 15:25:03 2012 GMT
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:
31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:
78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:
b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:
52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:
1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:
25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:
0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:
3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:
59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:
3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:
60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:
6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:
bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:
7d:ba:e9:ac
-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt
cGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG
9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN
MTEwNjI3MTUyNTAzWhcNMTIwNjI2MTUyNTAzWjBqMRIwEAYDVQQDEwlsb2NhbGhv
c3QxETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJ
ARYQY2FAZXhhbXBsZWNhLmNvbTETMBEGA1UEChMKRXhhbXBsZSBDQTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAmZcz3SOhfwUw7k2JQOWpnczc0R7eIpHighUE
5Qoy9oi+RPpi3O/vHXFoZxdm/uhZK8NpN0gKseICJVN3AhzuQiHFO2ib9N4T/VQ1
q/fcf+dk9+5jP0nKa/6JKMezn4U7Uh7y6E5mifzKoMUBEOhKPgOY7hB3SLmkVEwD
ZRPQrgECAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAYqQK
eTq/L/k8Jt8rOJ6N+I+oMW6aDipP/seys7EmipfNQ0YDeOvAR8vbYN4q0K5w8RYW
qwChuHoKvHhIqXM01XSQSbpuCqmUUng/uvEr0rPfbB136IpVXYEEHaaCmYgm7zfx
cfkFw72JfgweJWGt1kYm1WdTAXQIWBnMXf1kDhfoeNFHuMdIhqXa97WNyQD/PJ5c
I59szSHzdj4pjz3XxJOwWd2UwMBldPEyf6nkQDoR9yjEPoUH878heGB7b5t/SzkR
OE8FYANAS27NtiHqyyPa9ydVNGJ/brUlxWAkCwumZ2bdnIvor7sAvz6lGxE/3rUm
a6+zrntIzqyIfbrprA==
-----END CERTIFICATE-----
Data Base Updated
* Cert generated in the exampleca\certs subdirectory.
C:\OpenSSL\exampleca>dir certs
Directory of C:\OpenSSL\exampleca\certs
06/27/2011 11:25 AM 3,281 sample_cert.pem
1 File(s) 3,281 bytes
* Rename signed cert if needed
C:\OpenSSL\exampleca>cd certs
C:\OpenSSL\exampleca\certs>rename sample_cert.pem sample_cert.pem
C:\OpenSSL\exampleca\certs>dir
Directory of C:\OpenSSL\exampleca\certs
06/27/2011 11:25 AM 3,281 sample_cert.pem
1 File(s) 3,281 bytes
List Sample Cert
openssl x509 -in certs\sample_cert.pem -text -noout
* Sample output
C:\OpenSSL\exampleca>openssl x509 -in certs\sample_cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Validity
Not Before: Jun 27 15:25:03 2011 GMT
Not After : Jun 26 15:25:03 2012 GMT
Subject: CN=localhost, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Example CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:
a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:
32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:
66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:
77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:
35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:
89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:
ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:
a4:54:4c:03:65:13:d0:ae:01
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: md5WithRSAEncryption
62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:
31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:
78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:
b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:
52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:
1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:
25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:
0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:
3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:
59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:
3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:
60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:
6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:
bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:
7d:ba:e9:ac
Revoke a certificate
openssl ca -revoke certs\sample_cert.pem
* Sample output
C:\OpenSSL\exampleca>openssl ca -revoke certs\sample_cert.pem Using configuration from C:\OpenSSL\exampleca\openssl.conf Loading 'screen' into random state - done Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem: Revoking Certificate 01. Data Base Updated
Generate CRL
openssl ca -gencrl -out exampleca.crl
* Sample output
C:\OpenSSL\exampleca>openssl ca -gencrl -out exampleca.crl
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
C:\OpenSSL\exampleca>dir *.crl
Directory of C:\OpenSSL\exampleca
06/27/2011 11:37 AM 670 exampleca.crl
1 File(s) 670 bytes
* List CRL file
C:\OpenSSL\exampleca>openssl crl -in exampleca.crl -text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /CN=Example CA/ST=Virginia/C=US/emailAddress=ca@exampleca.com/O=Example CA
Last Update: Jun 27 15:37:57 2011 GMT
Next Update: Jul 4 15:37:57 2011 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: Jun 27 15:37:12 2011 GMT
Signature Algorithm: md5WithRSAEncryption
04:b6:e9:66:75:e6:2d:18:61:37:4a:4d:f2:0e:99:a3:49:55:
ed:d6:ff:f1:5a:f8:35:5b:a4:6e:be:6b:6a:74:e9:2a:70:08:
07:73:57:a5:16:e7:80:af:d0:e8:5d:8f:3d:6b:86:66:9a:cb:
ed:24:17:c5:40:8c:00:72:56:b9:9b:bb:51:c3:a3:0e:fc:37:
82:e3:22:7b:de:05:d5:00:31:a5:0a:65:0d:54:50:83:4c:6a:
6e:82:a8:d8:f5:37:6a:af:9b:5d:75:cb:64:be:99:1d:29:a2:
12:84:c3:b5:0a:48:a8:cf:3e:07:10:7a:93:30:64:a6:d3:3c:
5a:03:41:4a:0b:01:da:71:10:97:c5:d1:b2:89:a7:90:59:6f:
4d:af:10:3d:97:79:56:a1:ef:e0:80:b0:0f:f8:10:69:41:77:
03:1d:66:bd:01:50:2f:f4:4a:0e:7a:eb:53:a6:3d:cd:43:fa:
17:55:e9:9d:74:b7:e7:0b:2d:95:5b:5d:26:84:20:bf:89:e7:
8d:00:14:96:70:46:91:1d:8f:7c:00:bd:45:ea:1d:58:20:28:
4e:c3:27:69:48:d7:09:6c:9e:13:1e:03:f0:5c:71:fd:72:a8:
d9:6b:bf:ba:57:29:ea:c6:f6:8c:db:dd:3d:cd:80:ca:6e:31:
bf:de:50:36
* Verify that CRL file is valid with CA public key
C:\OpenSSL\exampleca>openssl crl -in exampleca.crl -noout -CAfile cacert.pem verify OK
Update DB
openssl ca -updatedb
* Sample output
C:\OpenSSL\exampleca>openssl ca -updatedb Using configuration from C:\OpenSSL\exampleca\openssl.conf Loading 'screen' into random state - done Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
References
* OpenSSL Docs
* Network Security with OpenSSL by John Viega; Matt Messier; Pravir Chandra
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure by Russ Housley and Tim Polk ( John Wiley & Sons).
* OpenSSL Command-Line HOWTO
I seriously love your site.. Great colors & theme. Did
you create this amazing site yourself? Please reply back as I’m planning to create my very own
site and want to learn where you got this from or what the theme
is called. Appreciate it!
Oh my goodness! Impressive article dude! Thank you so much,
However I am having difficulties with your RSS.
I don’t understand the reason why I am unable to subscribe to
it. Is there anyone else getting identical RSS issues?
Anybody who knows the answer will you kindly respond? Thanx!!
? know this ?f off topic bbut I’m looking into
starting m? own blog and wwas wondering ?hat all ?s required to gett sset ?p?
I’m assuming having a blog lie ?ours ?ould cost ? pretty penny?
I’m not very web savvy ?o ?’m not 100% ?ure. Any recommendations o? advice wo?ld ?e greatly appreciated.
Appreciatee ?t
Alsso visi m? website: http://www.Sellbuyautomobiles.com/author/cadorsey
Another attractive feature of these kitchens includes its durability.
You would spend ample time preparing food for your family on your
kitchen and through meal time your household enjoys quality family quantity of the
adjoining area. Our firm is With Fully Automated Machinery From
Germany and Italy.
My homepage – modular kitchen design online
I go to see daily some blogs and information sites to read articles, but
this weboog offers quality based writing.
my page :: samsung
The sky is the limit on shotguns for wing shooting of any kind from a couple of hundred dollars
to over twenty five thousand for really high end custom guns.
You should make adequate effort to convince the interviewer with your skills, abilities and accomplishments with a
view to convincing him that you are a perfect candidate for the position on offer.
When Placing the Decoy Ducks, Follow the Principle of Offset.
When a person is traveling they tend to need as much money possible to purchase attraction activities,
food, hotel accommodations, souvenirs, or if you are not traveling you
may need the extra money to purchase repairs on your own vehicle, or continue with your normal life routine.
A great way to find out if there are special discounts for teens is to just ask
an insurance agent from your company. Just like wearing black tie or dress to an event,
a black car looks a little more polished and refined.
You can bump up your iron by taking Energizing Iron liquid liver capsules.
And the end result of that is that you can lose 9 pounds and 11 days.
To achieve the best results, exercise must become
a regular habit.
Over time, engineers have devised numerous methods to improve the workability of
concrete. The mayor wondered what was going to happen when Artspace started work on Dearborn City
Hall, and the construction work ended up discovering
the police department’s former shooting range on the fourth floor.
Three ways to protect your company against these threats:.
3 micro diameter particulates into the intake side of the filter under test.
The second broad group is the tabletop coffee makers, which use an alternative
heating supply such as a Bunsen burner or an included heat source.
So if you are interested in buying the Miele s4212 please continue to read
on.
Morestone Granite & Marble Limited, locating in Xiamen, China, specializes in the production and exporting of granite kitchen countertop and bathroom vanitytop for residential, hospitality and commercial project all over the
world.
We custom produce granite kitchen countertop and bathroom vanitytop according to the layout and design of clients.
And we also have wide selection of granite color and vein to
meet the different budget of project.
Welcome to send your inquiry for estimation or order purpose regarding the dimension, edge profile, configuration (faucet hole drilling, sink cutout).
And please also advise if you require special shape of vanity top such as banjo front, bowed front,
curved front etc.
Looking forward to hear from you soon and hope you will be one of our
listings of satisfying clients.
Find us more
http://www.chinacountertop.com
It’s truly very complex in this active life to listen news on Television, so I simpy use the
web for that reason, and obtain the hottest news.
What a data of un-ambiguity and preserveness of prdcious familiarity about unexpected emotions.
Each of them has a different function according to the intensity of the misspelled keywords.
The trends in this industry change and new developments take place
only when Google comes up with some novel feature that
ends up breaking every site’s SEO and compels them to consider a
change in their current content presentation in order to do well.
I am hoping to show you that I can help you achieve top rankings in the sites like
I have for all my other clients. A guy named Alan Emtage, a student at the University of Mc – Gill, developed the first search engine for the Internet in 1990.
Quality posts is the key to be a focus for the users to visit the website, that’s what
this site is providing.