OpenSSL - Signing Certificates from Others
Part:
1
2
(Continued from previous part...)
Viewing Components of Certificate Signing Request
Here is how to see the components of a certificate signing request:
>openssl req -in herong.csr -noout -text -config openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db:
57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e:
bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff:
36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9:
04:d6:0e:5d:d1
Exponent: 65537 (0x10001)
Attributes:
challengePassword :myreq
Signature Algorithm: md5WithRSAEncryption
80:be:77:39:65:0f:24:db:70:c1:76:e3:b6:c7:99:a5:c7:af:
ae:98:5a:73:98:f8:60:f1:65:08:a9:f7:df:6f:bd:77:aa:f7:
bb:0b:f2:0d:71:6e:ad:ee:52:5a:2b:a7:2a:c0:fd:0e:4c:8f:
c1:43:18:58:0b:10:03:e0:e5:a3
Some interesting notes here:
- The request is signed with my private key. I don't see any need for this.
- My "challengePassword" is displayed in plain text. What's the value of this password, if every one can see it?
Signing a Certificate Signing Request
Even though I am not a well established CA, but I can still use OpenSSL to sign somebody else's certificate.
The following process shows you how Herong Yang signs John Smith's certificate:
>echo generating a key pair for John
>openssl genrsa -out john_rsa.key
Loading 'screen' into random state - done
Generating RSA private key, 512 bit long modulus
..................++++++++++++
.++++++++++++
e is 65537 (0x10001)
>echo generating the certificate signing request for John
>openssl req -new -key john_rsa.key -out john.csr
-config openssl.cnf
You are about to be asked to enter information that will be incorp...
into your certificate request.
What you are about to enter is what is called a Distinguished Name...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:John Smith
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
>echo signing John's request with Herong's private key
>openssl x509 -req -in john.csr -CA herong.crt
-CAkey herong_rsa_des.key -out john.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
Getting CA Private Key
Enter pass phrase for herong_rsa_des.key:
>echo looking at John's certificate
>openssl x509 -in john.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 5 (0x5)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=PN, L=CN, O=ON, OU=UN, CN=Herong Yang
Validity
Not Before: Jul 17 03:10:39 2002 GMT
Not After : Aug 16 03:10:39 2002 GMT
Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=John Smith
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:d4:a4:be:ce:2d:be:88:56:ef:d3:de:13:15:33:
59:84:ea:08:fe:bc:c8:70:93:30:c0:c4:c5:de:e3:
65:e8:98:e1:15:12:27:d4:00:69:6e:22:fa:c3:72:
4a:75:a6:d8:66:dc:ec:12:f6:92:94:09:3c:3a:61:
69:47:99:b3:91
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
57:a5:9f:93:8e:f8:69:cd:9b:70:ff:f5:fc:78:e3:f6:da:70:
b9:5d:d6:a8:ac:ae:76:41:13:04:99:28:97:55:9b:5e:94:c7:
c5:59:26:77:33:cb:67:aa:1c:d5:0e:b7:de:33:73:b1:f6:3a:
0b:c2:d9:6a:5b:f1:d1:ab:60:9b
This is nice. Now I can sign anyone's certificate, and become a CA!
All I need is my RSA key pair, herong_rsa_des.key, my self-signed certificate, herong.crt,
and the "x509" command.
Conclusion
In this chapter, we have learned how to generate a certificate signing request with the "req",
and how to sign someone else's certificate with the "x509" command.
Part:
1
2
|