OpenSSL - Generating Self-Signed Certificates
Part:
1
2
(Continued from previous part...)
Here is the command to generated a self-signed certificate based on a RSA key pair file, herong_rsa_des.key,
generated previously:
>openssl req -new -key herong_rsa_des.key -x509 -out herong.crt
-config openssl.cnf
Enter pass phrase for herong_rsa_des.key:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:Herong Yang
Email Address []:.
>type herong.crt
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----
Note that:
- My information, as both "issuer" and "subject", is entered from the keyboard.
- My public key that is included in the certificate is supplied from my RSA key pair file, herong_rsa_des.key.
See the previous chapter on how to generate a RSA key pair file.
- My private key that is used to sign the certificate is also supplied from my RSA key pair file, herong_rsa_des.key.
But the private key itself will not be included in the certificate.
So don't be afraid of send the self-signed certificate to others.
- The certificate is saved in an encoded format called PEM.
Viewing Components of Certificates
Here is how to see the components of a certificate:
>openssl x509 -in herong.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang
Validity
Not Before: Jul 15 02:19:47 2002 GMT
Not After : Aug 14 02:19:47 2002 GMT
Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db:
57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e:
bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff:
36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9:
04:d6:0e:5d:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04
X509v3 Authority Key Identifier:
keyid:55:C8:EF:49:2B:5D:E4:03:C5:98:1B:68:24:28:47:88:D4:0E:77:04
DirName:/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Herong Yang
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
3f:ba:0c:c1:ae:38:ca:f6:37:16:9c:35:5f:18:79:64:de:27:
0d:46:ad:28:57:b4:62:df:6c:ff:f8:74:17:eb:b6:91:7e:06:
6e:ec:a5:9d:23:e2:6e:5a:6e:c3:09:fa:cf:34:65:70:15:65:
10:3a:6b:0f:b9:ef:6b:64:18:0e
This certificate tells us that:
- The subject is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang"
- The subject's public key is included in it.
- The issuer is "C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang". The issuer is identical
to the subject, because this is a self-signed certificate.
- The certificate is valid for one month.
- The certificate is signed by the issuer with the signature at the end.
Conclusion
In this chapter, we have learned how to use the "req" command to generate a self-signed certificate,
and how to use the "x509" command to view the content of a certificate.
Part:
1
2
|