Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

OpenSSL - Signing Certificates from Others

Part:   1  2 

(Continued from previous part...)

Viewing Components of Certificate Signing Request

Here is how to see the components of a certificate signing request:

>openssl req -in herong.csr -noout -text -config openssl.cnf
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=Herong Yang
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:a9:e6:19:c6:ee:88:01:86:d9:72:9e:93:92:db:
                    57:01:7b:02:84:fc:1e:e3:57:5e:2a:7b:2b:25:9e:
                    bd:ba:c5:95:2c:49:59:28:df:a6:67:86:26:8e:ff:
                    36:cc:3a:84:5c:28:af:6f:11:c8:0c:b5:c2:c5:b9:
                    04:d6:0e:5d:d1
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :myreq
    Signature Algorithm: md5WithRSAEncryption
        80:be:77:39:65:0f:24:db:70:c1:76:e3:b6:c7:99:a5:c7:af:
        ae:98:5a:73:98:f8:60:f1:65:08:a9:f7:df:6f:bd:77:aa:f7:
        bb:0b:f2:0d:71:6e:ad:ee:52:5a:2b:a7:2a:c0:fd:0e:4c:8f:
        c1:43:18:58:0b:10:03:e0:e5:a3

Some interesting notes here:

  • The request is signed with my private key. I don't see any need for this.
  • My "challengePassword" is displayed in plain text. What's the value of this password, if every one can see it?

Signing a Certificate Signing Request

Even though I am not a well established CA, but I can still use OpenSSL to sign somebody else's certificate. The following process shows you how Herong Yang signs John Smith's certificate:

>echo generating a key pair for John
>openssl genrsa -out john_rsa.key
Loading 'screen' into random state - done
Generating RSA private key, 512 bit long modulus
..................++++++++++++
.++++++++++++
e is 65537 (0x10001)

>echo generating the certificate signing request for John
>openssl req -new -key john_rsa.key -out john.csr 
   -config openssl.cnf
   
You are about to be asked to enter information that will be incorp...
into your certificate request.
What you are about to enter is what is called a Distinguished Name...
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:John Smith
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

>echo signing John's request with Herong's private key
>openssl x509 -req -in john.csr -CA herong.crt 
   -CAkey herong_rsa_des.key -out john.crt

Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
Getting CA Private Key
Enter pass phrase for herong_rsa_des.key:

>echo looking at John's certificate
>openssl x509 -in john.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 5 (0x5)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=PN, L=CN, O=ON, OU=UN, CN=Herong Yang
        Validity
            Not Before: Jul 17 03:10:39 2002 GMT
            Not After : Aug 16 03:10:39 2002 GMT
        Subject: C=CN, ST=PN, L=LN, O=ON, OU=UN, CN=John Smith
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:d4:a4:be:ce:2d:be:88:56:ef:d3:de:13:15:33:
                    59:84:ea:08:fe:bc:c8:70:93:30:c0:c4:c5:de:e3:
                    65:e8:98:e1:15:12:27:d4:00:69:6e:22:fa:c3:72:
                    4a:75:a6:d8:66:dc:ec:12:f6:92:94:09:3c:3a:61:
                    69:47:99:b3:91
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        57:a5:9f:93:8e:f8:69:cd:9b:70:ff:f5:fc:78:e3:f6:da:70:
        b9:5d:d6:a8:ac:ae:76:41:13:04:99:28:97:55:9b:5e:94:c7:
        c5:59:26:77:33:cb:67:aa:1c:d5:0e:b7:de:33:73:b1:f6:3a:
        0b:c2:d9:6a:5b:f1:d1:ab:60:9b

This is nice. Now I can sign anyone's certificate, and become a CA! All I need is my RSA key pair, herong_rsa_des.key, my self-signed certificate, herong.crt, and the "x509" command.

Conclusion

In this chapter, we have learned how to generate a certificate signing request with the "req", and how to sign someone else's certificate with the "x509" command.

Part:   1  2 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - OpenSSL - Signing Certificates from Others