PKI applications (C2)
openssl exercice
Pascal Steichen (MSSI-uni.lu) - 31/03/2007 (03)
Exercice
- generation of CA key-pair
- self-sign root CA certificate
- generation of a user key-pair
- create a csr (certification signgin request)
- sign csr to produce certificate
1. Generate the RSA key–pair for the CA
Use this command to generate the RSA key–pair:
% openssl genrsa –aes128 –out ca.key 2048
- genrsa
-
the openssl component to generate an RSA key–pair,
- -aes128
-
the symmetric algorithm to encrypt the key–pair,
- -out ca.key
-
the filename to store the key–pair,
- 2048
-
size of RSA modulus in bits.
2. Create a self–signed CA Certificate
In order to get a self–signed CA Certificate, we need to sign the CA's certificate request with the corresponding private key. The resulting Certificate has the X.509 structure.
% openssl req –new –x509 –days 365 –key ca.key –out ca.crt
- req
-
the openssl component to generate a certificate request,
- -new
-
this is a new certificate,
- -x509
-
generate an X.509 certificate,
- -days 365
-
the time in days that the certificate will be valid, counting from now,
- -key ca.key
-
the key–pair file to be used,
- -out ca.crt
-
the filename that the new certificate will be written onto
3. Generate the RSA key–pair for a user/server
Use this command to generate the RSA key pair
% openssl genrsa –aes128 –out user.key 2048
- genrsa
-
the openssl component to generate an RSA key–pair,
- -aes128
-
the symmetric algorithm to encrypt the key–pair,
- -out user.key
-
the filename to store the key–pair,
- 2048
-
size of RSA modulus in bits.
4. Generate a certificate request
The user generates a certificate request with this command. The CSR is sent to the CA for signing. The CA returns the the signed certificate.
% openssl req –new –key user.key –out user.csr
- req
-
the openssl component to generate a certificate request,
- -new
-
this is a new certificate,
- -key user.key
-
the key–pair file to be used,
- -out user.csr
-
the filename that the new certificate request will be written onto
5. Ask the CA to sign the certificate request
The CA signs the CSR and produces the X.509 certificate to issue.
% openssl x509 -req -in user.csr -extensions v3_usr -CA ca.crt \
-CAkey ca.key -CAcreateserial -out user.crt
- x509
-
certificate display and signing utility,
- -req
-
a certificate request is expected on input,
- -in
-
specifies the input filename to read,
- -extensions
-
the section to add certificate extensions from,
- -CA
-
specifies the CA certificate to be used for signing,
- -CAkey
-
sets the CA private key to sign a certificate with,
- -CAcreateserial
-
the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will have the 1 as its serial number,
- -out user.crt
-
the filename that the new certificate will be written onto .