{"id":742,"date":"2009-04-15T09:33:40","date_gmt":"2009-04-15T14:33:40","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=742"},"modified":"2013-10-21T20:55:09","modified_gmt":"2013-10-22T01:55:09","slug":"openssl","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=742","title":{"rendered":"OpenSSL"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tIntro<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tSSL Pitfalls<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tOpenSSL Overview<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tConfig file<\/a>\n\t\t\t<\/li>\n\t\t\t
    4. \n\t\t\t\tSpecify passwords or pass phrases in command line<\/a>\n\t\t\t<\/li>\n\t\t\t
    5. \n\t\t\t\tSeeding PRNG (Pseudo Random Number Generator)<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    6. \n\t\tMessage Digest<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tSupported Message Digest Algorithms<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      2. \n\t\tSymmetric Ciphers<\/a>\n\t\t
          \n\t\t\t
        1. \n\t\t\t\tSupported ciphers<\/a>\n\t\t\t<\/li>\n\t\t\t
        2. \n\t\t\t\tSupported modes<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
        3. \n\t\tPublic Key Cryptography<\/a>\n\t\t
            \n\t\t\t
          1. \n\t\t\t\tRSA<\/a>\n\t\t\t\t
              \n\t\t\t\t\t
            1. \n\t\t\t\t\t\tBenifits<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
            2. \n\t\t\t\t\t\tCommands<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
            3. \n\t\t\t\tS\/MIME vs. PGP<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
            4. \n\t\tPKI: Public Key Infrastructure<\/a>\n\t\t
                \n\t\t\t
              1. \n\t\t\t\tCertificate<\/a>\n\t\t\t\t
                  \n\t\t\t\t\t
                1. \n\t\t\t\t\t\tX.509v3 Certificate Extensions<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                2. \n\t\t\t\tCA: Certificate Authorities<\/a>\n\t\t\t\t
                    \n\t\t\t\t\t
                  1. \n\t\t\t\t\t\tPrivate CA<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  2. \n\t\t\t\t\t\tPublic CA<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
                  3. \n\t\t\t\tInstall<\/a>\n\t\t\t\t
                      \n\t\t\t\t\t
                    1. \n\t\t\t\t\t\tBuild and install in Unix<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                    2. \n\t\t\t\t\t\tInstall in Linux using yum<\/em><\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                    3. \n\t\t\t\t\t\tInstall in Windows<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                    4. \n\t\t\t\tSetup CA<\/a>\n\t\t\t\t
                        \n\t\t\t\t\t
                      1. \n\t\t\t\t\t\tCreate CA Environment<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      2. \n\t\t\t\t\t\tCreate a config file<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      3. \n\t\t\t\t\t\tGenerate a self signed root certificate<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      4. \n\t\t\t\t\t\tList root certificate<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      5. \n\t\t\t\t\t\tGenerate a certificate request<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      6. \n\t\t\t\t\t\tList certificate request<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      7. \n\t\t\t\t\t\tSign a certificate request<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      8. \n\t\t\t\t\t\tList Sample Cert<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      9. \n\t\t\t\t\t\tRevoke a certificate<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      10. \n\t\t\t\t\t\tGenerate CRL<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                      11. \n\t\t\t\t\t\tUpdate DB<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                      12. \n\t\t\t\tReferences<\/a>\n\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                         <\/div>\n

                        Intro<\/h2><\/span>\n

                        SSL Pitfalls<\/h3><\/span>\n

                        * Processing overhead
                        \n– Use: cryptographic acceleration hardware, load balancing
                        \n* Keys in the clear
                        \n– Lock down environment
                        \n* Compromised server credentials
                        \n– Use: CRL (Certificate Revocation List)
                        \n* Inadequate entropy (higher the entropy, the more difficult to guess)
                        \n– Use entropy larger than 64 bits
                        \n* Insecure cryptography
                        \n– Use SSLv3 protocol
                        \n– Use RC4, 3DES, AES algorithm<\/p>\n

                        OpenSSL Overview<\/h3><\/span>\n

                        * Started as SSLeay by Eric A. Young and Tim J. Hudson in 1995
                        \n* First release in 1998 as 0.9.1c
                        \n* Contains two tool kits
                        \n# Cryptography library
                        \n– Symmetric key algorithms
                        \n– Public key algorithms
                        \n– Hash algorithms
                        \n– Message digests
                        \n# SSL toolkit
                        \n– Implements all versions of SSL protocol including TLSv1<\/p>\n

                        Config file<\/h3><\/span>\n

                        * Only three commands use config file (ca, req, x509)<\/p>\n

                        Specify passwords or pass phrases in command line<\/h3><\/span>\n

                        * stdin
                        \n* pass:\n* env:
                        \n* file:
                        \n* fd:<\/p>\n

                        Seeding PRNG (Pseudo Random Number Generator)<\/h3><\/span>\n

                        * Preferred: EGADS (Entropy Gathering And Distribution System) at http:\/\/www.securesw.com\/egads\/.<\/p>\n

                        Message Digest<\/h2><\/span>\n

                        Supported Message Digest Algorithms<\/h3><\/span>\n

                        Recommended<\/strong>
                        \n* SHA1 (DSS1)
                        \n* RIPEMD-160 (rmd160)
                        \nNot recommended<\/strong>
                        \n* MD2
                        \n* MD4
                        \n* MD5
                        \n* MDC2
                        \nExamples<\/strong><\/p>\n

                        \r\n* Compute SHA1 hash for myfile.txt\r\n* Write result to stdout:\r\nopenssl dgst -sha1 myfile.txt\r\n\r\n* Compute SHA1 hash for myfile.txt\r\n* Write result to myfile_digest.txt file\r\nopenssl sha1 -out myfile_digest.txt myfile.txt\r\n\r\n* Compute SHA1 hash for myfile.txt\r\n* Sign with private key stored in dsakey.pem file\r\n* Write signature to myfile_dsasign.bin file\r\nopenssl dgst -dss1 -sign dsakey.pem -out myfile_dsasign.bin myfile.txt\r\n\r\n* Verify myfile.txt signature stored in myfile_dsasign.bin\r\n* With SHA1 algorithm\r\n* With private key stored in dsakey.pem file\r\nopenssl dgst -dss1 -prverify dsakey.pem -signature myfile_dsasign.bin myfile.txt\r\n\r\n* Compute SHA1 hash for myfile.txt\r\n* Sign with RSA private key stored in rsaprivate.pem file\r\n* Write signature to myfile_rsasign.bin file \r\nopenssl sha1 -sign rsaprivate.pem -out myfile_rsasign.bin myfile.txt\r\n\r\n* Verify myfile.txt signature stored in myfile_rsasign.bin\r\n* With SHA1 alorithm\r\n* With public key stored in rsapublic.pem file\r\nopenssl sha1 -verify rsapublic.pem -signature myfile_rsasign.bin myfile.txt\r\n<\/pre>\n
                        Symmetric Ciphers<\/h2><\/span>\n
                        Supported ciphers<\/h3><\/span>\n
                        * Blowfish
                        \n* CAST5
                        \n* DES
                        \n* 3DES
                        \n* IDEA
                        \n* RC2
                        \n* RC4
                        \n* RC5
                        \n* AES<\/p>\n
                        Supported modes<\/h3><\/span>\n
                        * CBC (default)
                        \n* CFB
                        \n* ECB
                        \n* OFB<\/p>\n
                        Public Key Cryptography<\/h2><\/span>\n
                        RSA<\/h3><\/span>\n
                        Benifits<\/h4><\/span>\n
                        * Handles secrecy, authentication, and encryption
                        \n* Does not require parameters to be generated before keys can be generated<\/p>\n
                        Commands<\/h4><\/span>\n
                        genrsa<\/h5><\/span>\n
                        * Generate new RSA private key
                        \n* Private key is unencrypted by default but can be encrypted by DES, 3DES, IDEA
                        \n* Recommended key sizes: 1024 or 2048<\/p>\n
                        \r\n* Generate a 1024 bit RSA private key and store it in rsaprivatekey.pem file\r\n* Encrypt private key with 3DES algorithm with the password secret\r\nopenssl genrsa -out rsaprivatekey.pem -passout pass:secret -des3 1024\r\nLoading 'screen' into random state - done\r\nGenerating RSA private key, 1024 bit long modulus\r\n........................................................................++++++\r\n.++++++\r\ne is 65537 (0x10001)\r\n<\/pre>\n
                        rsa<\/h5><\/span>\n
                        * Used to examine and manipulate RSA keys
                        \n* display\/add\/modify\/remove\/encrypt private keys
                        \n* Produce public key from private key<\/p>\n
                        \r\n* Reads private key in rsaprivatekey.pem file\r\n* Decrypt private key with password secret\r\n* Writes public key to rsapublickey.pem file\r\nopenssl rsa -in rsaprivatekey.pem -passin pass:secret -pubout -out rsapublickey.pem\r\nwriting RSA key\r\n<\/pre>\n
                        rsautl<\/h5><\/span>\n
                        * Use an RSA key pair to encrypt\/decrypt and sign\/verify<\/p>\n
                        \r\n* Encrypt myfile.txt file\r\n* Using public key from rsapublickey.pem file\r\n* Write encrypted text to myfile_cipher.txt file\r\nopenssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in myfile.txt -out myfile_cipher.txt\r\nLoading 'screen' into random state - done\r\n\r\n* Decrypt myfile_cipher.txt file\r\n* Using private key from rsaprivatekey.pem file\r\n* Write decrypted text to myfile_decipher.txt\r\nopenssl rsautl -decrypt -inkey rsaprivatekey.pem -in myfile_cipher.txt -out myfile_decipher.txt\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for rsaprivatekey.pem:\r\n\r\n* Sign myfile.txt\r\n* Using private key from rsaprivatekey.pem\r\n* Write signature to myfile_signature.bin file\r\nopenssl rsautl -sign -inkey rsaprivatekey.pem -in myfile.txt -out myfile_signature.bin\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for rsaprivatekey.pem:\r\n\r\n* Verify myfile_signature.bin file\r\n* Using public key from rsapublickey.pem\r\n* Write verified, unsigned data to myfile_verify.txt file\r\nopenssl rsautl -verify -pubin -inkey rsapublickey.pem -in myfile_signature.bin -out myfile_verify.txt\r\nLoading 'screen' into random state - done\r\n<\/pre>\n
                        S\/MIME vs. PGP<\/h3><\/span>\n
                        S\/MIME uses PKI while PGP not.<\/p>\n
                        PKI: Public Key Infrastructure<\/h2><\/span>\n
                        Certificate<\/h3><\/span>\n
                        * Binds a public key to a distinguished name
                        \n* Most likely uses X.509 format
                        \n* Has a issuer unique serial number
                        \n* Has expiration date
                        \n* Is signed with issuer’s private key
                        \n* Can be verified with issuer’s public key<\/p>\n
                        X.509v3 Certificate Extensions<\/h4><\/span>\n
                        * Defines 14 extensions
                        \n* Only four of the fourteen extensions are well documented and widely used<\/p>\n
                        CA: Certificate Authorities<\/h3><\/span>\n
                        * A company or organization that issues certificates<\/p>\n
                        Private CA<\/h4><\/span>\n
                        Public CA<\/h4><\/span>\n
                        Install<\/h2><\/span>\n
                        Build and install in Unix<\/h3><\/span>\n
                        \r\n$ .\/config\r\n$ make\r\n$ make test # Optional.\r\n$ su  # \"make install\" needs root access\r\n# make install\r\n<\/pre>\n
                        * Installed location (Solaris): \/usr\/local\/ssl<\/p>\n
                        Install in Linux using yum<\/em><\/h3><\/span>\n
                        \r\nyum install openssl*\r\n<\/pre>\n
                        Install in Windows<\/h3><\/span>\n
                        * Download and install Visual C++ 2008 Redistributables<\/a>
                        \n* Download Win 32 OpenSSL, e.g.                         Win32OpenSSL-1_0_0d.exe<\/a>
                        \n– Double click to start installer
                        \n– Accept all defaults except:
                        \n~ Copy OpenSSL DLLs to: The OpenSSL binaries(\/bin) directory<\/p>\n
                        Setup CA<\/h2><\/span>\n
                        Create CA Environment<\/h3><\/span>\n
                        * Unix<\/p>\n
                        \r\nmkdir \/opt\/exampleca\r\ncd \/opt\/exampleca\r\nmkdir certs private\r\nchmod g-rwx,o-rwx private\r\necho '01' > serial\r\ntouch index.txt\r\n<\/pre>\n
                        * Windows<\/p>\n
                        \r\nmkdir C:\\OpenSSL\\exampleca\r\ncd C:\\OpenSSL\\exampleca\r\nmkdir certs\r\nmkdir private\r\necho 01 > serial\r\ntype nul > index.txt\r\n<\/pre>\n
                        Create a config file<\/h3><\/span>\n
                        *Create a config file named: openssl.conf<\/strong>
                        \n* Windows example:<\/p>\n
                        \r\n[ ca ]\r\ndefault_ca = exampleca\r\n\r\n[ exampleca ]\r\ndir              = C:\/OpenSSL\/exampleca\r\ncertificate      = $dir\/cacert.pem\r\ndatabase         = $dir\/index.txt\r\nnew_certs_dir    = $dir\/certs\r\nprivate_key      = $dir\/private\/cakey.pem\r\nserial           = $dir\/serial\r\n\r\ndefault_crl_days = 7\r\ndefault_days     = 365\r\ndefault_md       = md5\r\n\r\npolicy           = exampleca_policy\r\nx509_extensions  = certificate_extensions\r\n\r\n[ exampleca_policy ]\r\ncommonName             = supplied\r\nstateOrProvinceName    = supplied\r\ncountryName            = supplied\r\nemailAddress           = supplied\r\norganizationName       = supplied\r\norganizationalUnitName = optional\r\n\r\n[ certificate_extensions ]\r\nbasicConstraints = CA:false\r\n\r\n[ req ]\r\ndefault_bits       = 2048\r\ndefault_keyfile    = C:\/OpenSSL\/exampleca\/private\/cakey.pem\r\ndefault_md         = md5\r\n\r\nprompt             = yes\r\ndistinguished_name = root_ca_distinguished_name\r\n\r\nx509_extensions    = root_ca_extensions\r\n\r\n[ root_ca_distinguished_name ]\r\ncommonName          = www.exampleca.com\r\nstateOrProvinceName = Virginia\r\ncountryName         = US\r\nemailAddress        = ca@exampleca.com\r\norganizationName    = Example CA\r\n\r\ncommonName_default          = Example CA\r\nstateOrProvinceName_default = Virginia\r\ncountryName_default         = US\r\nemailAddress_default        = ca@exampleca.com\r\norganizationName_default    = Example CA\r\n<\/pre>\n
                        * Unix example is same except directory names are different:<\/p>\n
                        \r\n...\r\ndir              = \/opt\/exampleca\r\n...\r\ndefault_keyfile    = \/opt\/exampleca\/private\/cakey.pem\r\n<\/pre>\n
                        * Set OPENSSL_CONF<\/em> env var
                        \nUnix:<\/p>\n
                        export OPENSSL_CONF=\/opt\/exampleca\/openssl.conf<\/pre>\n
                        Windows:<\/p>\n
                        \r\nset OPENSSL_CONF=C:\\OpenSSL\\exampleca\\openssl.conf\r\n<\/pre>\n
                        * Alternatively, use config=\/opt\/exampleca\/openssl.conf<\/em> on the command line<\/p>\n
                        Generate a self signed root certificate<\/h3><\/span>\n
                        \r\n# Set config file to exampleca openssl.cof\r\nset OPENSSL_CONF=C:\\OpenSSL\\exampleca\\openssl.conf\r\n\r\n# Use -days to specify validity days\r\nopenssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM\r\nLoading 'screen' into random state - done\r\nGenerating a 2048 bit RSA private key\r\n....................+++\r\n..................................................................................................+++\r\nwriting new private key to 'C:\/OpenSSL\/exampleca\/private\/cakey.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\ncommonName, e.g. www.exampleca.com [Example CA]:\r\nstateOrProvinceName, e.g. Virginia [Virginia]:\r\ncountryName, e.g. US [US]:\r\nemailAddress, e.g ca@exampleca.com [ca@exampleca.com]:\r\norganizationName, e.g. Example CA [Example CA]:<\/pre>\n
                        List root certificate<\/h3><\/span>\n
                        \r\nopenssl x509 -in cacert.pem -text -noout\r\n<\/pre>\n
                        * Sample output:<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl x509 -in cacert.pem -text -noout\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            fc:ca:2a:ca:4c:b5:cc:1a\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Validity\r\n            Not Before: Jun 27 15:15:17 2011 GMT\r\n            Not After : Jul 27 15:15:17 2011 GMT\r\n        Subject: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (2048 bit)\r\n                Modulus:\r\n                    00:b0:7c:ef:57:28:26:0d:ef:b2:da:b4:11:fa:e6:\r\n                    e7:71:ae:ba:58:fc:3a:07:17:3c:22:06:4a:90:b9:\r\n                    5f:ef:72:1d:c2:85:8d:57:34:43:3e:f8:5f:54:47:\r\n                    35:a6:97:37:8d:41:64:f2:eb:df:be:7e:a4:52:7f:\r\n                    3e:2f:73:da:bb:da:7a:21:a9:fa:be:99:9e:8b:8d:\r\n                    49:05:08:01:3f:c0:ff:37:0f:e2:14:66:9f:41:d5:\r\n                    74:ed:6e:df:6a:58:4f:6d:ee:67:67:71:be:38:8e:\r\n                    1e:90:e7:28:6d:4c:10:b7:c2:91:a9:35:a4:f7:c5:\r\n                    bc:0c:69:59:1f:26:7d:a3:76:e1:be:5f:b1:f5:89:\r\n                    bf:76:66:c3:21:f1:a9:97:b7:27:5c:81:56:57:2b:\r\n                    ce:91:7d:64:43:49:c1:da:af:44:d3:fb:c0:04:8c:\r\n                    46:44:ea:66:d5:fa:6b:37:18:d2:f5:4b:b4:36:6b:\r\n                    d3:69:c0:fc:70:b5:2a:78:35:44:3d:68:e6:9f:22:\r\n                    79:6b:fd:f5:db:87:38:98:15:56:b4:00:e2:4b:01:\r\n                    28:69:53:1c:3e:60:2b:a2:52:3c:3b:6d:10:b7:b9:\r\n                    7e:b0:cd:e9:38:f8:4b:98:8f:aa:ee:b9:06:e4:c0:\r\n                    66:f5:fd:39:09:fd:f7:8f:1e:88:e0:57:51:e5:53:\r\n                    d7:13\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Basic Constraints:\r\n                CA:TRUE\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        1e:bf:b8:67:1a:53:96:23:1e:91:85:2e:ab:58:86:c9:1e:6d:\r\n        12:a1:53:a7:e9:1d:37:2c:e3:6b:67:44:b5:ef:8f:58:fc:4f:\r\n        60:cb:d6:ad:d9:e0:ac:a1:d9:11:f5:fd:83:76:1e:3c:25:23:\r\n        f1:c7:ce:b6:ef:18:91:02:a3:f3:5d:b0:7b:23:22:06:d1:b6:\r\n        b1:20:61:4c:a7:be:03:58:94:0c:4f:df:fd:d4:01:63:e9:12:\r\n        cb:95:97:58:c1:cb:60:15:4e:dd:38:89:d7:25:40:ab:c0:ff:\r\n        71:15:ab:9c:6d:5d:3f:2b:4f:20:5f:a5:79:33:63:2c:79:0e:\r\n        9c:1e:9c:f7:2a:16:ae:74:78:2b:67:54:48:ad:d9:13:bf:c4:\r\n        23:0d:8e:da:79:a0:e5:d1:11:29:a8:21:b3:a4:3b:91:93:22:\r\n        fe:2e:bf:d8:42:64:01:66:05:93:39:bb:23:88:04:bf:3d:93:\r\n        ec:78:b6:dc:16:5c:ec:f6:6f:0c:ab:49:7b:78:e5:fb:93:fa:\r\n        c8:c1:27:e7:f3:ed:f3:32:dc:80:82:0f:7a:bd:c1:63:0e:48:\r\n        a6:dd:8b:b0:97:d2:62:94:ab:90:25:57:06:39:6d:3c:57:49:\r\n        98:68:d0:0b:95:bf:42:a1:8a:5c:4a:13:e5:ba:e0:4c:54:b6:\r\n        dc:95:8b:37\r\n<\/pre>\n
                        Generate a certificate request<\/h3><\/span>\n
                        \r\nset OPENSSL_CONF=C:\\OpenSSL\\exampleca\\openssl.conf\r\nopenssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl req -newkey rsa:1024 -keyout sample_key.pem -keyform PEM -out sample_req.pem -outform PEM\r\nLoading 'screen' into random state - done\r\nGenerating a 1024 bit RSA private key\r\n......................................................................................++++++\r\n.......................................++++++\r\nwriting new private key to 'sample_key.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\ncommonName, e.g. www.exampleca.com [Example CA]:localhost\r\nstateOrProvinceName, e.g. Virginia [Virginia]:\r\ncountryName, e.g. US [US]:\r\nemailAddress, e.g ca@exampleca.com [ca@exampleca.com]:\r\norganizationName, e.g. Example CA [Example CA]:\r\n<\/pre>\n
                        List certificate request<\/h3><\/span>\n
                        * Command<\/p>\n
                        \r\nopenssl req -in sample_req.pem -text -noout\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl req -in sample_req.pem -text -noout\r\nCertificate Request:\r\n    Data:\r\n        Version: 0 (0x0)\r\n        Subject: CN=localhost, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:\r\n                    a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:\r\n                    32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:\r\n                    66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:\r\n                    77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:\r\n                    35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:\r\n                    89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:\r\n                    ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:\r\n                    a4:54:4c:03:65:13:d0:ae:01\r\n                Exponent: 65537 (0x10001)\r\n        Attributes:\r\n            a0:00\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        26:93:63:3b:13:f2:91:c0:df:df:c8:dd:ef:0f:f8:c4:ab:7b:\r\n        6b:5f:5b:80:13:e0:2b:f0:e9:e2:b6:83:7d:36:fd:81:61:55:\r\n        93:68:d5:0e:85:a3:68:e4:ff:e5:a2:43:56:c0:75:62:2f:d3:\r\n        eb:a7:51:ba:ce:39:23:e4:fc:ff:90:4e:89:53:54:32:99:66:\r\n        00:0c:16:22:7d:b2:34:32:9b:75:02:5f:e2:21:90:4b:71:9d:\r\n        00:9e:50:49:22:66:74:88:72:55:51:a6:d3:4d:a6:01:77:25:\r\n        be:46:cb:9f:b2:b1:ac:34:3e:f5:ad:b6:6a:50:81:af:da:4e:\r\n        73:7a\r\n<\/pre>\n
                        Sign a certificate request<\/h3><\/span>\n
                        \r\nset OPENSSL_CONF=C:\\OpenSSL\\exampleca\\openssl.conf\r\nopenssl ca -in sample_req.pem\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl ca -in sample_req.pem\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncommonName            :PRINTABLE:'localhost'\r\nstateOrProvinceName   :PRINTABLE:'Virginia'\r\ncountryName           :PRINTABLE:'US'\r\nemailAddress          :IA5STRING:'ca@exampleca.com'\r\norganizationName      :PRINTABLE:'Example CA'\r\nCertificate is to be certified until Jun 26 15:25:03 2012 GMT (365 days)\r\nSign the certificate? [y\/n]:y\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number: 1 (0x1)\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Validity\r\n            Not Before: Jun 27 15:25:03 2011 GMT\r\n            Not After : Jun 26 15:25:03 2012 GMT\r\n        Subject: CN=localhost, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:\r\n                    a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:\r\n                    32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:\r\n                    66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:\r\n                    77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:\r\n                    35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:\r\n                    89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:\r\n                    ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:\r\n                    a4:54:4c:03:65:13:d0:ae:01\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Basic Constraints:\r\n                CA:FALSE\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:\r\n        31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:\r\n        78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:\r\n        b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:\r\n        52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:\r\n        1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:\r\n        25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:\r\n        0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:\r\n        3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:\r\n        59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:\r\n        3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:\r\n        60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:\r\n        6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:\r\n        bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:\r\n        7d:ba:e9:ac\r\n-----BEGIN CERTIFICATE-----\r\nMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt\r\ncGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG\r\n9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN\r\nMTEwNjI3MTUyNTAzWhcNMTIwNjI2MTUyNTAzWjBqMRIwEAYDVQQDEwlsb2NhbGhv\r\nc3QxETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJ\r\nARYQY2FAZXhhbXBsZWNhLmNvbTETMBEGA1UEChMKRXhhbXBsZSBDQTCBnzANBgkq\r\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAmZcz3SOhfwUw7k2JQOWpnczc0R7eIpHighUE\r\n5Qoy9oi+RPpi3O\/vHXFoZxdm\/uhZK8NpN0gKseICJVN3AhzuQiHFO2ib9N4T\/VQ1\r\nq\/fcf+dk9+5jP0nKa\/6JKMezn4U7Uh7y6E5mifzKoMUBEOhKPgOY7hB3SLmkVEwD\r\nZRPQrgECAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAYqQK\r\neTq\/L\/k8Jt8rOJ6N+I+oMW6aDipP\/seys7EmipfNQ0YDeOvAR8vbYN4q0K5w8RYW\r\nqwChuHoKvHhIqXM01XSQSbpuCqmUUng\/uvEr0rPfbB136IpVXYEEHaaCmYgm7zfx\r\ncfkFw72JfgweJWGt1kYm1WdTAXQIWBnMXf1kDhfoeNFHuMdIhqXa97WNyQD\/PJ5c\r\nI59szSHzdj4pjz3XxJOwWd2UwMBldPEyf6nkQDoR9yjEPoUH878heGB7b5t\/SzkR\r\nOE8FYANAS27NtiHqyyPa9ydVNGJ\/brUlxWAkCwumZ2bdnIvor7sAvz6lGxE\/3rUm\r\na6+zrntIzqyIfbrprA==\r\n-----END CERTIFICATE-----\r\nData Base Updated\r\n<\/pre>\n
                        * Cert generated in the exampleca\\certs subdirectory.<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>dir certs\r\n Directory of C:\\OpenSSL\\exampleca\\certs\r\n\r\n06\/27\/2011  11:25 AM             3,281 sample_cert.pem\r\n               1 File(s)          3,281 bytes\r\n<\/pre>\n
                        * Rename signed cert if needed<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>cd certs\r\n\r\nC:\\OpenSSL\\exampleca\\certs>rename sample_cert.pem sample_cert.pem\r\n\r\nC:\\OpenSSL\\exampleca\\certs>dir\r\n Directory of C:\\OpenSSL\\exampleca\\certs\r\n\r\n06\/27\/2011  11:25 AM             3,281 sample_cert.pem\r\n               1 File(s)          3,281 bytes\r\n<\/pre>\n
                        List Sample Cert<\/h3><\/span>\n
                        \r\nopenssl x509 -in certs\\sample_cert.pem -text -noout\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl x509 -in certs\\sample_cert.pem -text -noout\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number: 1 (0x1)\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Validity\r\n            Not Before: Jun 27 15:25:03 2011 GMT\r\n            Not After : Jun 26 15:25:03 2012 GMT\r\n        Subject: CN=localhost, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example CA\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:99:97:33:dd:23:a1:7f:05:30:ee:4d:89:40:e5:\r\n                    a9:9d:cc:dc:d1:1e:de:22:91:e2:82:15:04:e5:0a:\r\n                    32:f6:88:be:44:fa:62:dc:ef:ef:1d:71:68:67:17:\r\n                    66:fe:e8:59:2b:c3:69:37:48:0a:b1:e2:02:25:53:\r\n                    77:02:1c:ee:42:21:c5:3b:68:9b:f4:de:13:fd:54:\r\n                    35:ab:f7:dc:7f:e7:64:f7:ee:63:3f:49:ca:6b:fe:\r\n                    89:28:c7:b3:9f:85:3b:52:1e:f2:e8:4e:66:89:fc:\r\n                    ca:a0:c5:01:10:e8:4a:3e:03:98:ee:10:77:48:b9:\r\n                    a4:54:4c:03:65:13:d0:ae:01\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Basic Constraints:\r\n                CA:FALSE\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        62:a4:0a:79:3a:bf:2f:f9:3c:26:df:2b:38:9e:8d:f8:8f:a8:\r\n        31:6e:9a:0e:2a:4f:fe:c7:b2:b3:b1:26:8a:97:cd:43:46:03:\r\n        78:eb:c0:47:cb:db:60:de:2a:d0:ae:70:f1:16:16:ab:00:a1:\r\n        b8:7a:0a:bc:78:48:a9:73:34:d5:74:90:49:ba:6e:0a:a9:94:\r\n        52:78:3f:ba:f1:2b:d2:b3:df:6c:1d:77:e8:8a:55:5d:81:04:\r\n        1d:a6:82:99:88:26:ef:37:f1:71:f9:05:c3:bd:89:7e:0c:1e:\r\n        25:61:ad:d6:46:26:d5:67:53:01:74:08:58:19:cc:5d:fd:64:\r\n        0e:17:e8:78:d1:47:b8:c7:48:86:a5:da:f7:b5:8d:c9:00:ff:\r\n        3c:9e:5c:23:9f:6c:cd:21:f3:76:3e:29:8f:3d:d7:c4:93:b0:\r\n        59:dd:94:c0:c0:65:74:f1:32:7f:a9:e4:40:3a:11:f7:28:c4:\r\n        3e:85:07:f3:bf:21:78:60:7b:6f:9b:7f:4b:39:11:38:4f:05:\r\n        60:03:40:4b:6e:cd:b6:21:ea:cb:23:da:f7:27:55:34:62:7f:\r\n        6e:b5:25:c5:60:24:0b:0b:a6:67:66:dd:9c:8b:e8:af:bb:00:\r\n        bf:3e:a5:1b:11:3f:de:b5:26:6b:af:b3:ae:7b:48:ce:ac:88:\r\n        7d:ba:e9:ac\r\n<\/pre>\n
                        Revoke a certificate<\/h3><\/span>\n
                        \r\nopenssl ca -revoke certs\\sample_cert.pem\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl ca -revoke certs\\sample_cert.pem\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\nRevoking Certificate 01.\r\nData Base Updated\r\n<\/pre>\n
                        Generate CRL<\/h3><\/span>\n
                        \r\nopenssl ca -gencrl -out exampleca.crl\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl ca -gencrl -out exampleca.crl\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\n\r\nC:\\OpenSSL\\exampleca>dir *.crl\r\n Directory of C:\\OpenSSL\\exampleca\r\n\r\n06\/27\/2011  11:37 AM               670 exampleca.crl\r\n               1 File(s)            670 bytes\r\n<\/pre>\n
                        * List CRL file<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl crl -in exampleca.crl -text -noout\r\nCertificate Revocation List (CRL):\r\n        Version 1 (0x0)\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: \/CN=Example CA\/ST=Virginia\/C=US\/emailAddress=ca@exampleca.com\/O=Example CA\r\n        Last Update: Jun 27 15:37:57 2011 GMT\r\n        Next Update: Jul  4 15:37:57 2011 GMT\r\nRevoked Certificates:\r\n    Serial Number: 01\r\n        Revocation Date: Jun 27 15:37:12 2011 GMT\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        04:b6:e9:66:75:e6:2d:18:61:37:4a:4d:f2:0e:99:a3:49:55:\r\n        ed:d6:ff:f1:5a:f8:35:5b:a4:6e:be:6b:6a:74:e9:2a:70:08:\r\n        07:73:57:a5:16:e7:80:af:d0:e8:5d:8f:3d:6b:86:66:9a:cb:\r\n        ed:24:17:c5:40:8c:00:72:56:b9:9b:bb:51:c3:a3:0e:fc:37:\r\n        82:e3:22:7b:de:05:d5:00:31:a5:0a:65:0d:54:50:83:4c:6a:\r\n        6e:82:a8:d8:f5:37:6a:af:9b:5d:75:cb:64:be:99:1d:29:a2:\r\n        12:84:c3:b5:0a:48:a8:cf:3e:07:10:7a:93:30:64:a6:d3:3c:\r\n        5a:03:41:4a:0b:01:da:71:10:97:c5:d1:b2:89:a7:90:59:6f:\r\n        4d:af:10:3d:97:79:56:a1:ef:e0:80:b0:0f:f8:10:69:41:77:\r\n        03:1d:66:bd:01:50:2f:f4:4a:0e:7a:eb:53:a6:3d:cd:43:fa:\r\n        17:55:e9:9d:74:b7:e7:0b:2d:95:5b:5d:26:84:20:bf:89:e7:\r\n        8d:00:14:96:70:46:91:1d:8f:7c:00:bd:45:ea:1d:58:20:28:\r\n        4e:c3:27:69:48:d7:09:6c:9e:13:1e:03:f0:5c:71:fd:72:a8:\r\n        d9:6b:bf:ba:57:29:ea:c6:f6:8c:db:dd:3d:cd:80:ca:6e:31:\r\n        bf:de:50:36\r\n<\/pre>\n
                        * Verify that CRL file is valid with CA public key<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl crl -in exampleca.crl -noout -CAfile cacert.pem\r\nverify OK\r\n<\/pre>\n
                        Update DB<\/h3><\/span>\n
                        \r\nopenssl ca -updatedb\r\n<\/pre>\n
                        * Sample output<\/p>\n
                        \r\nC:\\OpenSSL\\exampleca>openssl ca -updatedb\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\n<\/pre>\n
                        References<\/h2><\/span>\n
                        * OpenSSL Docs<\/a>
                        \n* Network Security with OpenSSL by John Viega; Matt Messier; Pravir Chandra
                        \nPlanning for PKI: Best Practices Guide for Deploying Public Key Infrastructure by Russ Housley and Tim Polk ( John Wiley & Sons).
                        \n*                         OpenSSL Command-Line HOWTO<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                        Intro SSL Pitfalls * Processing overhead – Use: cryptographic acceleration hardware, load balancing * Keys in the clear – Lock down environment * Compromised server credentials – Use: CRL (Certificate Revocation List) * Inadequate entropy (higher the entropy, the more … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[55],"tags":[],"class_list":["post-742","post","type-post","status-publish","format-standard","hentry","category-ssl"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/s8cRUO-openssl","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=742"}],"version-history":[{"count":38,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/742\/revisions"}],"predecessor-version":[{"id":746,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/742\/revisions\/746"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}