OpenSSL Reference [1] http://www.openssl.org : OpenSSL [2] http://www.modssl.org : mod_ssl [3] http://home.xcert.com/~marcnarc//pki/ : PKI site [4] http://www2.psy.uq.edu.au/~ftp/crypto/ssl.html : SSLeay programmer reference [5] http://developer.netscape.com/docs/manuals/security/sslin/contents.htm : Netscape SSL page [6] http://www.drh-consultancy.demon.co.uk/pkcs12faq.html#pfx : OpenSSLPKCS12 [7] Introducing SSL and Certificates using SSLeay, (where???) SSLeay (Eric, A, Young)SSL(Secure Socket Layer) / SSLeay SSLv2/v3, SSLeay-0.9.0 TLSv1. OpenSSL : TLSv1 Porting language Unix DOS Windows (WIN16, WIN32) VMS Macintosh Amiga Palm Pilot C/C++ Java Perl Delphi SSLeay SSL,, OpenSSL group version up. CA (PEM, DER, PKCS12, PKCS7, ), smime utility.
. libssl.a: SSLv2, SSLv3, TLSv1 clientserver code libcrypto.a: X.509 v1/v3 SSL/TLS.. Ciphers libdes RC4/RC2 Blowfish IDEA 4 DES, DESX, crypt(). 4 different modes, ecb, cbc, cfb and ofb. 4 different modes, ecb, cbc, cfb and ofb. 4 different modes, ecb, cbc, cfb and ofb. (Digests) MD5 MD2 SHA (SHA-0) SHA-1 (Public Key) RSA encryption/decryption/generation. DSA encryption/decryption/generation. Diffie-Hellman key-exchange/key generation. X.509v3 (certificates) Systems Data structures X509 encoding/decoding into/from binary ASN1 and a PEM The normal digital envelope routines and base64 encoding. Higher level access to ciphers and digests by name. New ciphers can be loaded at run time. The BIO io system which is a simple non-blocking IO abstraction. Current methods supported are file descriptors, sockets, socket accept, socket connect, memory buffer, buffering, SSL client/server, file pointer, encryption, digest, non-blocking testing and null. A dynamically growing hashing system A simple stack.
A Configuration loader that uses a format similar to MS.ini files. openssl: command line tool: RSA, DH, DSA X.509, CSR, CRL / SSL/TLS, S/MIME OpenSSL Command line Program dgst enc ans1parse dh rsa crl x509 pkcs7 genrsa gendsa dsaparam gendh req s_client s_server - s_time s_mult s_filter errstr ca crl2pkcs7 speed verify hashdir smime base64 ASN.1 parsing. Diffle-Hellman RSA X509 pkcs7 RSA private key DSA private key. DSA parameter Diffle-Hellman PKCS#10 (CRS) SSL SSL SSL protocol timing program Another SSL server, but it multiplexes connections. under development OpenSSL error numbers. ( ) CRL ( ). CRLPKCS#7.. (certificate chain). under development mime mime / S/MIME
. pkcs12 spkac Pkcs12 parsing. (pkcs12 == pfx) Netscape CSR formatspkac.
/ CSR(Certificate Signing Request). random number. 1. (information) (rand.dat). head -25 * > rand.dat OR ssleay md5 * > rand.dat OR cat file1 file2 file3 > rand.dat 2. openssl genrsa -rand rand.dat > key.pem -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAKubxA50T2q/cNY4Ma2lUqkw/S6bHv5kXOgyDsT2ZHziE6biLVHk n/ji0ezffuquedan+s2j0rkb0rihh/ymcikcaweaaqjbaibudrpcdls+ohjqcxry ijmucfd+9xmeehotvo+71f+wk0d4eujkxedqikgkivq1vycj2pd8mjn1m6p0u1ha nmuciqdsipylwxrctug01aag9do6bbejh31hmlfjoq9kts0towihaneqe4cnyfmo 8Jbgcwic+3B4wiGK271oQ78W37aoRE3jAiEAqOXrvGB8SVklaXgbO/z3/pGuL/6b JIraVNgDy2uywgkCIQCl1h9Gp9Oq46TE6dIWGQBS3VeQ5+caveRPZkObTqqv5QIg cqgxd12rlhc3uqjned+yr8xj8osxykvfxky0e1awiv4= -----END RSA PRIVATE KEY----- 3. openssl genrsa -rand rand.dat -des 1024 > key.pem OR (if you want to use triple DES) openssl genrsa -rand rand.dat -des3 1024 > key.pem [nrg:/] openssl genrsa -des > key.pem 1160 semi-random bytes loaded Generating RSA private key, 512 bit long modulus...+++++...+++++ e is 65537 (0x10001) Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,938DB4CEDEDA2B94 Le8anSjI9/grKxZ/NJ1f5PIYqnfXgu9tmBWK1e6r3avlj8qn7ylogj9q0V/Sepik KoINR2k116WRr2QWo8qCbVFtD6HzqX1W2CVlJj2KAcPvwLTFbEiQ21WbGU37ASNo +Y+4G2BOrhaAEDVvL1WlhX3HwqB5HYY9u9Gmr5XdSAr2WXFc1ewEl/EJLnl7RuQ9 CoyiXAQRly+FoPQiqbAXkiCOjsj3WItTCf6pZ7GEG+qpzCXLe4Ez4djCMZXPNmgN h40xn7kccbke9zng+epdysxtph7b8kqowwfxup0d/spfhnj7z97aafpq1+jee+nj rd2tutocloyfmgocim2xx/s7bmdlsyw5axnchy6rogsa1ta030doppi74zlteb4f kd5frmmuo9zfbs7knmt+4kf6mdajo41qkdkb4itetpe= -----END RSA PRIVATE KEY----- 4. passphrase openssl rsa -in key1.pem -out key2.pem openssl rsa -in delthis.key -out delthis2.key read RSA private key Enter PEM pass phrase:passphrase writing RSA private key -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBALn9rR+qrq7Qib2AqSLFNDV/P4dBC+w+5yBFYpnp7BRO7RAY0ZIL ehuwpxzzq9q3vbfnhpahyij+6jhkicpgy80caweaaqjafmntqzjbihcbjjhkw71f vxa+fzae6npwpbie7bgsxboeqfkjhb2zj0odi/+a8jmu1o8icsi22gj4xkdbtthi AQIhAOBa9nlPT6KkYiVYGxFPUVE/Vis/tuVA19nhSpC5yk8XAiEA1Dly+ItWmRjz xyvv64uv8k9zpmjhsh+rat1aqjvs6rsciffljycp/qlyxe1sltft4bvld9c3eymr SH669xOU5GpXAiBjCqCOP7DdaBiz87e3LIyjP8btMVZ52CL+BjWceaxn6wIhAJxo FQUwOEMwHg0oe/eXykakCKS/lPjtyhf6NaFn82kI -----END RSA PRIVATE KEY----- 5. openssl rsa -des -in key1.pem -out key2.pem OR ( triple-des ) openssl rsa -des3 -in key1.pem -out key2.pem openssl rsa -idea -in delthis2.key -out delthis3.key
read RSA private key writing RSA private key Enter PEM pass phrase:11111111 Verifying password - Enter PEM pass phrase:11111111 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: IDEA-CBC,9565D60C29080DB2 Uu8YpSMdmGVJWQsSSke0174Nv5nFw+ESvQfiom8vF9MSW+vFg8BUs0AmEjzlmWkZ udpjggika3lbspvqg718huoetp3/hrgwyechtjf/rv3ssk1ka3egkwslftmpnkfk 7ITFBa22QgVBOvdIKsbQgWZgE3gtah2aDhUATd6kpoQtmlcK17+BLAUki1/JuKuj NrjP6tOTtNrGunA6gwPj8xiCwLWq3N3we/6Yk+HGlIy5GgMlWAk1Y/NJs56EoxsV t28j+ndmic/oucrwlnoeseh62uo8qu6cklfbqfjion9v1gkqmhl4z/so4ridyjm1 Em89gg2QtAw6PAAFxfWuD8Q35bgRYuaOfLPFCwV1XLPVXOWpuDBmjDnQ47eXlWel 4RbKajq1TDckle4j85jsRMDTBs1bwGO4WkRtuOixkeY= -----END RSA PRIVATE KEY----- 6. (CSR) CSRCA CSR PKCS#10 CSR. CSR private key. CA. CSRCA. ( signing ) OpenSSL CSR. openssl req -new -key key.pem -out csr.pem key.pem openssl req -new -key key.pem -out csr.pem keyout key.pem. CSR.PEM -----BEGIN CERTIFICATE REQUEST----- MIIBETCBvAIBADBXMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYJKoZIhvcNAQkB FgFgMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6nPTy3avNgbubx+ESmD4LV1LQG fcsh8neheoixgwmcplrhtp87paa0xvgpvrqujcgstrlqsd8lcyvvkoaytnucawea AaAAMA0GCSqGSIb3DQEBBAUAA0EAXcMsa8eXgbG2ZhVyFkRVrI4vT8haN39/QJc9
BrRh2nOTKgfMcT9h+1Xx0wNRQ9/SIGV1y3+3abNiJmJBWnJ8Bg== -----END CERTIFICATE REQUEST----- 7. (self-signed) CA, root CA rootca rootca. CSR selfsigned. openssl req -new -x509 -key key.pem -out dummy.pem CSR openssl ca in req.pem signkey key.pem out cacert.pem. text openssl x509 -text -in cacert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5withrsaencryption Issuer: C=KR, CN=rootCA Validity 71@netsgo.com Not Before: Feb 28 07:57:44 2000 GMT Not After : Feb 27 07:57:44 2001 GMT Subject: C=KR, ST=SEOUL, L=SEOUL, O=PKI, OU=PKI, CN=my_name/Email=bugbug Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:5d:2a:56:eb:fa:25:b9:ad:cc:e0:69:7b:7f: 8b:72:08:40:43:f8:61:37:3f:89:a1:6f:56:8a:49: 7a:e1:9b:8b:a2:14:e9:76:fd:e8:f9:d3:e5:6e:dc: 70:a0:69:17:f8:76:8f:2e:c2:96:5c:cd:95:4c:c3: 5f:cd:a1:f7:20:0a:28:41:f5:a2:a1:73:ee:35:5a: 79:67:c8:17:89:23:17:83:96:b6:6a:73:8b:47:a7: e2:89:97:5a:b8:8b:4e:5a:d9:49:b3:0c:84:ec:60: c6:42:0a:2b:7b:ec:67:3e:28:d0:74:d6:3a:5b:d2:
ca:8f:16:0f:e6:ee:0e:db:33 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:bugbug71@netsgo.com X509v3 Basic Constraints: CA:FALSE, pathlen:0 Netscape Comment: CertMgr :. Netscape Cert Type: SSL Client Signature Algorithm: md5withrsaencryption 08:70:52:cc:9f:37:7f:23:50:76:a6:8c:c6:cb:2b:74:19:f2: de:2b:cc:3f:d1:f6:ab:a7:ab:66:18:ac:c4:40:be:5e:e5:ef: 67:ce:8f:01:94:4c:10:bd:0f:87:f0:8f:6f:e8:55:4b:bf:60: 41:93:f8:26:07:e5:40:1c:ee:09:5d:1e:64:c5:32:cb:1c:20: 7e:87:98:05:0d:91:57:9d:08:71:41:fb:ef:a6:1e:60:c8:06: 90:c1:62:10:5e:d0:8c:cd:65:6a:fe:52:3b:da:a1:7e:4d:52: 49:a7:48:e5:87:a5:28:60:28:e0:47:36:7b:15:93:b1:74:71: f2:75 -----BEGIN CERTIFICATE----- MIICkTCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQQFADAeMQswCQYDVQQGEwJLUjEP MA0GA1UEAxMGcm9vdENBMB4XDTAwMDIyODA3NTc0NFoXDTAxMDIyNzA3NTc0NFow fzelmakga1uebhmcs1ixdjambgnvbagtbvnft1vmmq4wdaydvqqhewvtru9vtdem MAoGA1UEChMDUEtJMQwwCgYDVQQLEwNQS0kxEDAOBgNVBAMUB215X25hbWUxIjAg BgkqhkiG9w0BCQEWE2J1Z2J1ZzcxQG5ldHNnby5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAMRdKlbr+iW5rczgaXt/i3IIQEP4YTc/iaFvVopJeuGbi6IU 6Xb96PnT5W7ccKBpF/h2jy7CllzNlUzDX82h9yAKKEH1oqFz7jVaeWfIF4kjF4OW tmpzi0en4omxwriltlrzsbmmhoxgxkikk3vszz4o0htwolvsyo8wd+budtszagmb AAGjfjB8MB4GA1UdEQQXMBWBE2J1Z2J1ZzcxQG5ldHNnby5jb20wDAYDVR0TBAUw AwIBADA5BglghkgBhvhCAQ0ELBYqQ2VydE1nciA6IMWstvPAzL7wxq4gwM7B9byt ukygu/28usfvtm+02s4gmbegcwcgsagg+eibaqqeawihgdanbgkqhkig9w0baqqf AAOBgQAIcFLMnzd/I1B2pozGyyt0GfLeK8w/0farp6tmGKzEQL5e5e9nzo8BlEwQ vq+h8i9v6fvlv2bbk/gmb+vaho4jxr5kxtllhcb+h5gfdzfxnqhxqfvvph5gyaaq wwiqxtcmzwvq/li72qf+tvjjp0jlh6uoycjgrzz7fzoxdhhydq== -----END CERTIFICATE-----
openssl x509 -text -in cacert.crt noout -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----.
openssl ca ca. CSR (PKCS#10 encoding )SPKAC. -verbose. (-batch. CGI ) -config filename -days arg -gencrl days -md arg default config (/usr/local/ssl/openssl.cnf) config.. days 365 1 CRL. md2, md5, sha, sha1. -policy arg -keyfile arg -key arg -cert -in file -out file -outdir dir -infiles file CApolicy. ( ) CA ( ) passphrase CA PEM encodecsr ( ) directory ( serial.pem) CSR SPKAC (Netscape only) Netscape<KEYGEN> tag SPKAC. Email = jkkim@securesoft.co.kr C = KR CN = jkkim@securesoft.co.kr O = SecureSoft OU = pki L = seoul SPKAC = MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC doxm4vzctdcdc1g711ezwyirpztqymhqoxqcvhbiadxniqnuer1 6U2VmoDyEcuuW32NG5WIS4iaQ5Nr8KmGt/dH6OxXqnmAWqDMOtl b6bysthgbs5bfg0n5ng08lqsdysafhjahu0b0yekuisr962nloz7ott /CchjX/DgwsCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBAINOuS Hl2/mvyYKDk1jspi9lx1UvLfp+y9MXi4VS3Kt2pxk8u91Y39M1jOErqr Tce8MWWIGrjqbmWHTcng1OP5HyuOOx8o16MeM1DTUQc+kegYv6
QgjVvamh1WlB75WPP0xpozKFdU2pYl4LHNKCf9WndT5xYFG4Ndrm 6rmK6t5v
OpenSSL Config File [1] config file format [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir certs crl_dir = /TEMP-FOLDER/openssl-0.9.3a/apps/secureCA = $dir/certs = $dir/crl database = $dir/index.txt # database index file. new_certs_dir certificate serial crl private_key RANDFILE x509_extensions crl_extensions = $dir/newcerts = $dir/cacert.pem = $dir/serial = $dir/crl.pem = $dir/private/cakey.txt = $dir/private/.rand = usr_cert = crl_ext default_days = 365 default_crl_days = 30 default_md preserve policy = md5 = no = policy_match [ policy_match ] countryname stateorprovincename organizationname organizationalunitname commonname emailaddress = match = match = match = optional = supplied = optional [ policy_anything ] countryname = optional
stateorprovincename localityname organizationname organizationalunitname commonname emailaddress = optional = optional = optional = optional = supplied = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert [ req_distinguished_name ] countryname countryname_default = Country Name (2 letter code) = KR countryname_min = 2 countryname_max = 2 stateorprovincename stateorprovincename_default localityname organizationalunitname commonname = State or Province Name (full name) = Some-State = Locality Name (eg, city) = Organizational Unit Name (eg, section) = Common Name (eg, YOUR name) commonname_max = 64 emailaddress = Email Address emailaddress_max = 40 [ req_attributes ] challengepassword = A challenge password challengepassword_min = 4 challengepassword_max = 20 unstructuredname = An optional company name [ usr_cert ] basicconstraints =CA:FALSE
nscerttype keyusage nscomment subjectkeyidentifier = client, email, objsign = nonrepudiation, digitalsignature, keyencipherment = "Personal Certificate generated by SecureSoft CA" =hash authoritykeyidentifier =keyid,issuer:always subjectaltname issueraltname #nscarevocationurl =email:copy =issuer:copy = http://www.domain.dom/ca-crl.pem #nsbaseurl #nsrevocationurl #nsrenewalurl #nscapolicyurl #nssslservername [ v3_ca ] subjectkeyidentifier =hash authoritykeyidentifier =keyid:always,issuer:always #basicconstraints basicconstraints keyusage nscerttype subjectaltname issueraltname basicconstraints = critical,ca:true = CA:true = crlsign, keycertsign = sslca, emailca =email:copy =issuer:copy = critical, RAW:30:03:01:01:FF [ crl_ext ] issueraltname=issuer:copy authoritykeyidentifier=keyid:always,issuer:always CA OpenSSL openssl.cnf. CA CA_default section dir CA directory
newcerts database file policy text DB. (default) policy Policy sectiondn. 1. match CA 2. optional 3. supplied. policy_match. countryname stateorprovincename organizationname organizationalunitname commonname emailaddress = match = match = match = optional = supplied = optional DN countryname, stateorprovincename, organizationname CA. organizationalunitname, emailaddress, commonname.
CA index OpenSSL text DB. status Expired Date Revoked Date Serial certificate CN V 021031064407Z 01 unknown /C=KR/ CN=rootCA R 021031063252Z 000130122731Z 02 unknown /C=KR/O=SecureSoft/CN=jkkim/Email=1234 @.1.1.1 V 021031065515Z 03 unknown /C=KR/ST=3333/L=3333/O=3333/OU=3/CN= R 010128030114Z 000130122731Z 04 unknown /C=KR/ 333/Email=3333 /CN=anber/Email=aa@securesoft.co.kr V 021031071531Z 05 unknown /C=45/ST=234523io45/L=2345234/O=Interne t Widgits Pty Ltd version certificate. Serial Number serial. CRL.
DN(Distinguished Name). DNX.509. 2 : Distinguished Name Information Common Name CN Organization or Company O,, Organizational Unit OU CN=Frederick Hirsch O=Securesoft, Inc OU=PKU team City/Locality L L=seoul State/Province SP / SP=Massachussetts Country C (ISO code) C=US, C=KR Encoding formasn.1. ASN.1 binary form. binary encodingder(distinguished Encoding Rules) DER encoding rulebasic Encoding Rules (BER). ASCII Base64. Base64 EncodingPEM Encoding. -----BEGIN CERTIFICATE----- base64-encoded content -----END CERTIFICATE----- Base64 Encoding RFC1421-1424 PEM(Privacy Enhanced Mail). OpenSSL CA Creation [STEP 1] CA (self-signed) CA CA. VeriSign. test CA Self-sign CA. (VeriSign CA self-signed ) CA ca.crt, ca.key. CSR.
entity.crt entity.key entity.csr openssl req new out ca.csr keyout ca.key CA. openssl ca in ca.csr signkey ca.key out ca.crt config config_file_name name casection_name openssl req -new -x509 -key key.pem -out dummy.pem CA CA Browser(PKI client). application/x-x509-ca-cert. <HTML><HEAD><TITLE>Load CA Certificate</TITLE></HEAD><BODY> <H1>Load Certificate Authority Certificate</H1> <FORM ACTION="http://example.osf.org/cgi-bin/loadCAcert.pl" METHOD=post> <TABLE><TR> <TD>Netscape Browser (PEM Format):</TD> <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="PEM" CHECKED></TD></TR> <TR><TD>Microsoft Browser (DER Format):</TD> <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="DER"></TD></TR> </TABLE> <INPUT TYPE="SUBMIT" VALUE="Load Certificate"> </FORM> </BODY></HTML>
#!/usr/local/bin/perl -T require 5.003; use strict; use CGI; my $cert_dir = "/opt/www/lib/certs"; my $cert_file = "CAcert.pem"; my $query = new CGI; my $kind = $query->param('format'); if($kind eq 'DER') { $cert_file = "CAcert.der"; } my $cert_path = "$cert_dir/$cert_file"; open(cert, "<$cert_path"); my $data = join '',; close(cert); print "Content-Type: application/x-x509-ca-cert\n"; print "Content-Length: ", length($data), "\n\n$data"; 1; [STEP 2] SSL CSR. (CSR self-signed CA ) (1) openssl req new out server.csr keyout server.key (2) openssl ca in server.csr out server.crt (3) (apache web server ), /conf/ssl.crt, /conf/ssl.key../openssl req -new -keyout newkey.pem -out newreq.pem -days 360 -config ssleay.cnf Using configuration from /opt/www/lib/ssleay.cnf Generating a 512 bit private key writing new private key to 'newkey.pem' Enter PEM pass phrase:11111111 Verifying password - Enter PEM pass phrase:11111111 -----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:KR State or Province Name (full name) [MA]:SEOUL Locality Name (eg, city) [Cambridge]:SEOUL Organization Name (eg, company) [The Open Group]:SecureSoft Organizational Unit Name (eg, section) [Research Institute]:PKI TEAM Common Name (eg, YOUR name) [example.osf.org]:nrg.securesoft.co.kr Email Address []:webmaster@securesoft.co.kr Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:11111111 An optional company name []:Hacker Company CSR server.csr -----BEGIN CERTIFICATE REQUEST----- MIIBXTCCAQcCAQAwgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAGA1UE... Aty7AlcmN9XNwxUk1w0H3hk= -----END CERTIFICATE REQUEST-----. -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,21F13B37A796482C XIY0c7gnv0BpVKkOqXIiqpyONx8xqW67wghzDlKyoOZt9NDcl9wF9jnddODwv9ZU... QxS2zwfKG1u+YqS1c2v5ecBgqW78DQLvxMkpYU8+xge7vDeoYKE14w== -----END RSA PRIVATE KEY-----
[STEP 3] client client. (1) : HTML page.. (2) :. (3) Submit. i. Browser. (public/private key). ii. iii. iv. Private keybrowser. Public key. ServerCGI script load. (512bits) <KEYGEN>. SPKAC. (Signed Public Key And Challenge) SPKAC = MIIBOj
Email = jkkim@securesoft.co.kr C = KR CN = jkkim@securesoft.co.kr O = SecureSoft SPKAC = MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCdOXM4vzcTdcDC1G711EZwyiRpZtQYmhqOXQ CvhBIAdxNiQNUER16U2VmoDyEcuuW32NG5WIS4iaQ5Nr8KmGt/dH6OxXqnmAWqDMOtlb6bYsthGBS5bFG0n5NG0 8LQSdySafhjahu0B0YeKuISR962NloZ7OtT/CchjX/DgwsCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBAINOuS Hl2/mvyYKDk1jspi9lx1UvLfp+y9MXi4VS3Kt2pxk8u91Y39M1jOErqrTce8MWWIGrjqbmWHTcng1OP5HyuOOx8o16Me M1DTUQc+kegYv6QgjVvamh1WlB75WPP0xpozKFdU2pYl4LHNKCf9WndT5xYFG4Ndrm6rmK6t5v CA : SPKAC. 0001.csr openssl ca spkac 0001.csr out 0001.crt
Explorer IE tag. java Script VB script certenroll.dll (IE 3.x) xenroll.dll(ie 4.x). openssl ca -policy policy_anything -out newcert.pem -config ssleay.cnf -infiles new.pem Using configuration from /opt/www/lib/ssleay.cnf Enter PEM pass phrase:11111111 Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryname :PRINTABLE:'US' stateorprovincename :PRINTABLE:'MA' localityname :PRINTABLE:'Cambridge' organizationname :PRINTABLE:'The Open Group' organizationalunitname:printable:'research Institute' commonname :PRINTABLE:'example.osf.org' emailaddress :IA5STRING:'f.hirsch@opengroup.org' Certificate is to be certified until May 12 15:39:33 1998 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Netscape form <HTML><HEAD><TITLE> </TITLE></HEAD><BODY> <CENTER><H1> </H1></CENTER> <FORM NAME="GenerateForm" ACTION="http://example.osf.org/cgi-bin/ns_key.pl"> <TABLE> <TR><TD> :</TD><TD> <INPUT TYPE="TEXT" NAME="commonName" VALUE="" SIZE=64> </TD></TR> <TR><TD>email:</TD><TD> <INPUT TYPE="TEXT" NAME="emailAddress" VALUE="" SIZE=40> </TD></TR> <TR><TD> :</TD><TD> <INPUT TYPE="TEXT" NAME="organizationName" VALUE=""> </TD></TR> <TR><TD> :</TD><TD> <INPUT TYPE="TEXT" NAME="organizationalUnitName" VALUE=""> </TD></TR> <TR><TD> ( ):</TD><TD> <INPUT TYPE="TEXT" NAME="localityName" VALUE=""> </TD></TR> <TR><TD>(state) :</TD><TD> <INPUT TYPE="TEXT" NAME="stateOrProvinceName" VALUE=""> </TD></TR> <TR><TD> :</TD><TD> <INPUT TYPE="TEXT" NAME="countryName" VALUE="KR" SIZE="2"> </TD></TR> </TABLE> <!-- keygen Netscape. IETAG. --> <KEYGEN NAME="SPKAC" CHALLENGE="challengePassword"> <INPUT TYPE="SUBMIT" NAME="SUBMIT"> </FORM> <P><HR></BODY></HTML>
#!/usr/local/bin/perl require 5.003; use strict; use CGI; use File::CounterFile; # module to maintain certificate request counter my $doc_dir = $ENV{'DOCUMENT_ROOT'}; # apache specific location for storage unless($doc_dir) { print "<HTML><HEAD><TITLE>Failure</TITLE></HEAD>"; print "<BODY>DOCUMENT_ROOT not defined</body></html>"; exit(0); } my $base_dir = $doc_dir; $base_dir =~ s/\/htdocs//; my $SSLDIR = '/opt/dev/ssl'; # define where SSLeay files are located my $CA = "$SSLDIR/bin/ca"; my $CONFIG = "/opt/www/lib/ssleay.cnf"; my $CAPASS = "cakey"; my $query = new CGI; # get a handle on the form data my $key = $query->param('spkac'); # this will fail if not Netscape browser
unless($key) { fail("no Key provided $key. Netscape required"); } my $counter = new File::CounterFile("$base_dir/.counter", 1); unless($counter) { fail("could not create counter: $!"); } my $count = $counter->inc(); my $certs_dir = "$base_dir/certs"; my $req_file = "$certs_dir/cert$count.req"; my $result_file = "$certs_dir/cert$count.result"; # # # Explicitly list form fields we must have for certificate creation to work. my @req_names = ('commonname', 'emailaddress', 'organizationname', 'organizationalunitname', 'localityname', 'stateorprovincename', 'countryname', 'SPKAC'); # build the request file open(req, ">$req_file") or fail("could not create request $req_file: $!"); my $name; foreach $name (@req_names) { my $value = $query->param("$name"); $value =~ tr/\n//d; print REQ "$name = $value\n"; } close(req); # make sure we actually created a request file unless(-f $req_file) { fail("request missing: $req_file"); } unless(-e $CA) { fail("command missing"); } # ensure that ca command will run # command for processing certificate request, without password my $cmd = "$CA -config $CONFIG -spkac $req_file -out $result_file -days 360"; my $rc = system("$cmd -key $CAPASS 2>errs"); if($rc!= 0) { fail("$cmd<p>rc = $rc", "errs"); } open(cert, "<$result_file") or fail("could not open $result_file<p>$!"); # browser. /x-x509-user-certnetscape-only IE. print "Content-Type: application/x-x509-user-cert\n"; my $result = join '', <CERT>; close CERT; my $len = length($result); print "Content-Length: $len\n\n"; print $result; exit(0);
sub fail { my($msg, $errs) = @_; print $query->header; print $query->start_html(-title => "Certificate Request Failure"); print "<H2>Certificate request failed</h2>$msg<p>"; if($errs) { if(open(err, "<errs")) { while(<err>) { print "$_<BR>"; } close ERR; } } print $query->dump(); print $query->end_html(); exit(0); } 1;
#!/usr/local/bin/perl require 5.003; use strict; use CGI; use File::CounterFile; # module to maintain certificate request counter my $SSLDIR = '/opt/dev/ssl'; my $CA = "$SSLDIR/bin/ca"; my $CRL2PKCS7 = "$SSLDIR/bin/crl2pkcs7"; my $CONFIG = "/opt/www/lib/ssleay.cnf"; my $CRL = "$SSLDIR/crl/crl.pem"; my $CAPASS = "cakey"; my $doc_dir = $ENV{'DOCUMENT_ROOT'}; # apache specific location for storage unless($doc_dir) { print "<HTML><HEAD><TITLE>Failure</TITLE></HEAD><BODY>DOCUMENT_ROOT not defined</body></html>"; exit(0); my $base_dir = $doc_dir; $base_dir =~ s/\/htdocs//; my $query = new CGI; my $req = $query->param('reqentry'); unless($req) { fail("no Certificate Request Provided"); } my $counter = new File::CounterFile("$base_dir/.counter", 1); unless($counter) { fail("count not create counter: $!"); }
my $count = $counter->inc(); my $certs_dir = "$base_dir/certs"; my $req_file = "$certs_dir/cert$count.req"; my $result_file = "$certs_dir/cert$count.result"; my $key_file = "$certs_dir/$count.key"; my $debug_file = "$certs_dir/$count.debug"; my $pkcs7_file = "$certs_dir/cert$count.pkcs"; #process request $req =~ tr/\r//d; $req =~ tr/\n//d; # save the certificate request to a file, as received open(req, ">$req_file") or fail("could no save certificate request to file"); print REQ "-----BEGIN CERTIFICATE REQUEST-----\n"; my $result = 1; while($result) { $result = substr($req, 0, 72); if($result) { print REQ "$result\n"; $req = substr($req, 72); } } print REQ "-----END CERTIFICATE REQUEST-----\n"; close(req); unless(-e $CA) { fail("$ca command missing"); } my $cmd = "$CA -config $CONFIG -in $req_file -out $result_file -days 360 -policy policy_match"; my $rc = system("$cmd -key $CAPASS 2>errs <<END\ny\ny\nEND"); my $session = $query->param('sessionid'); my $cn = $query->param('commonname'); if($rc!= 0) { fail("certification Request Failed</h2>$cmd<P>rc = $rc<p>\ sessionid = $session<br>req = $req<br>", "errs"); } my $cmd = "$CRL2PKCS7 -certfile $result_file -in $CRL -out $pkcs7_file"; my $rc = system("$cmd 2>errs"); open(cert, "<$pkcs7_file") or fail("could not open $pkcs7_file<p>$!");
my $certificate = ""; my $started = 0; while(<cert>) { if(/begin PKCS7/) { $started = 1; next; } if(/end PKCS7/) { last; } if($started) { chomp; $certificate.= "$_"; } } close(cert); open(msg, ">msg") or fail("could not generate message"); print MSG <<_END_TEXT_; <HTML><HEAD><TITLE>Finish Client Certificate Installation</TITLE> <!-- Use the Microsoft ActiveX control to install the certificate --> <OBJECT CLASSID="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43" CODE=certenr3.dll ID=certHelper> </OBJECT> <SCRIPT LANGUAGE="JavaScript"> <!-- function InstallCert (subject, sessionid, cert) { if( sessionid == "") { alert("no Session id"); return; }if(cert == "") { alert("no Certificate"); return; }
var doacceptanceuilater = 0; result = certhelper.acceptcredentials(sessionid, cert, 0, doacceptanceuilater); if(result == "") { var msg = "Attempt to install " + subject + " client certificate failed"; alert(msg); return false; } else { var msg = subject + " client certificate installed"; alert(msg); } } --> </SCRIPT> </HEAD> <BODY onload="installcert('$cn', '$session', '$certificate');"> Installing client certificate for $cn<br> session: $session<br> </BODY> </HTML> _END_TEXT_ close(msg); open(rd, "<msg") or fail("could not open msg file"); my $msg = join '', <RD>; close(rd); my $len = length($msg); print "Content-Type: text/html\n"; print "Content-Length: $len\n\n"; print $msg; exit(0); sub fail { my($msg, $errs) = @_; print $query->header; print $query->start_html(-title => "Certificate Request Failure");
print "<H2>Certificate request failed</h2>$msg<p>"; if($errs) { if(open(err, "<errs")) { while(<err>) { print "$_<BR>"; } close ERR; } } print $query->dump(); print $query->end_html(); exit(0); }1;
IE form <HTML><HEAD><TITLE> </TITLE></HEAD><BODY> <!-- Use the Microsoft ActiveX control to generate the certificate --> <OBJECT CLASSID="clsid:33BEC9E0-F78F-11cf-B782-00C04FD7BF43" CODEBASE=certenr3.dll ID=certHelper> </OBJECT> <!-- JavaScript or Visual Basic will work. --> <SCRIPT LANGUAGE="JavaScript"> <!--- // this is from JavaScript: The Definitive Guide, since Microsoft implementation of Math.random() is broken // function random() { random.seed = (random.seed*random.a + random.c) % random.m; return random.seed/random.m; } random.m = 714025; random.a = 4096; random.c = 150889; random.seed = (new Date()).getTime()%random.m; function GenReq () { var sessionid = "a_unique_session_id"; var reqhardware = 0; var szname = ""; var szpurpose = "ClientAuth"; var doacceptanceuinow = 0; var doacceptanceuilater = 0; var doonline = 1; var keyspec = 1; szname = ""; if (document.genreqform.commonname.value == "") { alert("no Common Name"); return false; } else szname = "CN=" + document.genreqform.commonname.value; if (document.genreqform.countryname.value == "") {
alert("no Country"); return false; }else szname = szname + "; C=" + document.genreqform.countryname.value; if (document.genreqform.stateorprovincename.value == "") { alert("no State or Province"); return false; }else szname = szname + "; S=" + document.genreqform.stateorprovincename.value; if (document.genreqform.localityname.value == "") { alert("no City"); return false;}else szname = szname + "; L=" + document.genreqform.localityname.value; if (document.genreqform.organizationname.value == "") { alert("no Organization"); return false; }else szname = szname + "; O=" + document.genreqform.organizationname.value; if (document.genreqform.organizationalunitname.value == "") { alert("no Organizational Unit"); return false; }else szname = szname + "; OU=" + document.genreqform.organizationalunitname.value; /* make session id unique */ sessionid = "xx" + Math.round(random() * 1000); sz10 = certhelper.generatekeypair(sessionid, reqhardware, szname, 0, szpurpose, doacceptanceuinow, doonline, keyspec, "", "", 1); /* * The condition sz10 being empty occurs on any condition in which the credential was not successfully generated. In particular, it occurs when the operation was cancelled by the user, as well as additional errors. A cancel is distinguished from other unsuccessful generations by an empty sz10 and an error value of zero.
*/ if (sz10!= "") { } else { } } //---> </SCRIPT> document.genreqform.reqentry.value = sz10; document.genreqform.sessionid.value = sessionid; alert("key Pair Generation failed"); return false; <CENTER><H3>Generate key pair and client certificate request</h3></center> <FORM METHOD=POST ACTION=http://example.osf.org/cgi-bin/ms_key.pl NAME="GenReqForm" onsubmit="genreq()"> <TABLE> <TR><TD> :</TD><TD><INPUT TYPE=TEXT NAME="commonName" VALUE="" SIZE=64> </TD></TR><TR><TD> :</TD><TD><INPUT TYPE=TEXT NAME="countryName" VALUE="" SIZE=2> </TD></TR><TR><TD>/ :</TD><TD><INPUT TYPE=TEXT NAME="stateOrProvinceName" VALUE=""> </TD></TR><TR><TD> :</TD><TD><INPUT TYPE=TEXT NAME="localityName" VALUE=""> </TD></TR><TR><TD> :</TD><TD><INPUT TYPE=TEXT NAME="organizationName" VALUE=""> </TD></TR><TR><TD> :</TD><TD><INPUT TYPE=TEXT NAME="organizationalUnitName" VALUE=""> </TD></TR></TABLE> <INPUT TYPE=HIDDEN NAME="sessionId"> <INPUT TYPE=HIDDEN NAME="reqEntry"> <INPUT TYPE="SUBMIT" name="submit"> </FORM> </BODY></HTML>
CA command option -config config_file -in CSR -ss_cert filename -spkac filename -infiles file1, file2, -out filrname -outdir directory -cert certfile -key password -verbose -batch -notext -startdate UTC -enddate UTC -days -md default openssl.cnf. CSR self-signed certificate NetscapeSPKAC CSR.. infiles CSR..,.pem. CA CA.. text. notbefore. notafter... openssl.cnfdefault_md. -policy -preservedn -extfile config policy section section. ( ) DN policy section DN.. PKCS12 command PKCS#12. Netscape 4.04 IE 4.0, importexport. IENetscape. PKCS12 PFX (PFX is a horrible, evil, broken predecessor to PKCS#12. It was invented by Microsoft who never really implemented it. Netscape Communicator 4.03 and earlier used it because PKCS#12 didn't exist at the time. For compatibility reasons Netscape 4.04 and later and all versions of MSIE support PFX on import only) PKCS12
128 bit RC4 with SHA1 40 bit RC4 with SHA1 3 key triple DES with SHA1 (168 bits) 2 key triple DES with SHA1 (112 bits) 128 bit RC2 with SHA1 40 bit RC2 with SHA1 DES with MD5 (56bit) DES with MD2 (56bit) Software PKCS#12 import PKCS#12 export PFX Import PFX export Netscape 4.03 and earlier No No Yes Yes Netscape 4.04 and later Yes Yes Yes No MSIE 4.0 and later Yes Yes Yes No [nrg:/src/secureca/test] openssl pkcs12 -in cho.p12 -info Enter Import Password:11111111 MAC Iteration 1 MAC verified OK PKCS7 Encrypted data: pbewithsha1and40bitrc2-cbc, Iteration 2048 Certificate bag Bag Attributes friendlyname: CHO s Certificate localkeyid: DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90 AF D8 07 09 subject=/c=kr/st=seoul/l=seoul/o=pki/ou=pki/cn=my_name/email=bugbug71@netsgo.com issuer= /C=KR/CN=rootCA -----BEGIN CERTIFICATE----- MIICkTCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQQFADAeMQswCQYDVQQGEwJLUjEP MA0GA1UEAxMGcm9vdENBMB4XDTAwMDIyODA3NTc0NFoXDTAxMDIyNzA3NTc0NFow fzelmakga1uebhmcs1ixdjambgnvbagtbvnft1vmmq4wdaydvqqhewvtru9vtdem MAoGA1UEChMDUEtJMQwwCgYDVQQLEwNQS0kxEDAOBgNVBAMUB215X25hbWUxIjAg BgkqhkiG9w0BCQEWE2J1Z2J1ZzcxQG5ldHNnby5jb20wgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAMRdKlbr+iW5rczgaXt/i3IIQEP4YTc/iaFvVopJeuGbi6IU 6Xb96PnT5W7ccKBpF/h2jy7CllzNlUzDX82h9yAKKEH1oqFz7jVaeWfIF4kjF4OW
tmpzi0en4omxwriltlrzsbmmhoxgxkikk3vszz4o0htwolvsyo8wd+budtszagmb AAGjfjB8MB4GA1UdEQQXMBWBE2J1Z2J1ZzcxQG5ldHNnby5jb20wDAYDVR0TBAUw AwIBADA5BglghkgBhvhCAQ0ELBYqQ2VydE1nciA6IMWstvPAzL7wxq4gwM7B9byt ukygu/28usfvtm+02s4gmbegcwcgsagg+eibaqqeawihgdanbgkqhkig9w0baqqf AAOBgQAIcFLMnzd/I1B2pozGyyt0GfLeK8w/0farp6tmGKzEQL5e5e9nzo8BlEwQ vq+h8i9v6fvlv2bbk/gmb+vaho4jxr5kxtllhcb+h5gfdzfxnqhxqfvvph5gyaaq wwiqxtcmzwvq/li72qf+tvjjp0jlh6uoycjgrzz7fzoxdhhydq== -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyname: rootca subject=/c=kr/cn=rootca issuer= /C=KR/CN=rootCA -----BEGIN CERTIFICATE----- MIICDjCCAXegAwIBAgIBADANBgkqhkiG9w0BAQQFADAeMQswCQYDVQQGEwJLUjEP MA0GA1UEAxMGcm9vdENBMB4XDTAwMDIyODA3NTQxNloXDTEwMDIyNTA3NTQxNlow HjELMAkGA1UEBhMCS1IxDzANBgNVBAMTBnJvb3RDQTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA4jRa6YuNCx9AX8Pj5rn96HsbNGfMwVxmcVIdFy/F1bTR8rSP Y1Vgi4DQ8/u3QmM8qqQ2CJY6pqe+jT7tA8uk4U0Iws2+mG+zehlueGTBry0SbSHe y3dreabodxwllkltas3qlntax2tu6ag/lsuokgwnotud7khj3gz5v8kkoqscawea AaNcMFowCQYDVR0RBAIwADAPBgNVHRMECDAGAQH/AgEAMCkGCWCGSAGG+EIBDQQc FhpTZWN1cmVTb2Z0IFByaW1hcnkgUm9vdCBDQTARBglghkgBhvhCAQEEBAMCAAcw DQYJKoZIhvcNAQEEBQADgYEA4JnUFQ1GxB324wXxnXVRKNTmyz1xaPnF+PQqsyCo LfwcGv5APBz1XLCr7gu70n/53TnHBLkV4Lu+8EAIUJ4ljjAp9VDIjoQAMcK1O8cy viuuksa45flhnqjpzx1gj/y/662xfk08nufou0/qmuxe7bkzwkfuzskiqkz/2hxa tiy= -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbewithsha1and3-keytripledes-cbc, Iteration 2048 Bag Attributes friendlyname: my_name localkeyid: DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90 AF D8 07 09 Key Attributes: <No Attributes> Enter PEM pass phrase:11111111 Verifying password - Enter PEM pass phrase:11111111
Software and mode. Certificate encryption Private key encryption MSIE4 (domestic and export versions) 40 bit RC2 40 bit RC2 PKCS#12 export. MSIE4, 5(domestic and export versions) PKCS#12 import. All. All. MSIE5 PKCS#12 export. 40 bit RC2 3 key triple DES with SHA1 (168 bits) Netscape Communicator (domestic and export versions) PKCS#12 export Netscape Communicator (export version) 40 bit RC2 3 key triple DES with SHA1 40 bit ciphers only. All. (168 bits) PKCS#12 import. Netscape Comminicator (domestic or fortified version) PKCS#12 import. All All OpenSSL PKCS#12 code. All All CRL EXAMPLES CRL. Convert a CRL file from PEM to DER: openssl crl -in crl.pem -outform DER -out crl.der Output the text form of a DER encoded certificate: openssl crl -in crl.der inform der -text [nrg:/usr/local/securesoft/ca] openssl crl -in test.der -inform der -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5withrsaencryption Issuer: /C=KR/O=SecureSoft, INC./CN=SecureSoft Secure Server CA/Email=ca@securesoft.co.kr Last Update: Mar 2 02:01:51 2000 GMT Next Update: Apr 1 02:01:51 2000 GMT Revoked Certificates: Serial Number: 26 Revocation Date: Mar 2 02:01:04 2000 GMT Serial Number: 27
Revocation Date: Mar 2 01:57:39 2000 GMT Signature Algorithm: md5withrsaencryption 30:2d:43:5b:cb:57:cb:4b:7b:c4:5e:77:22:63:a6:93:96:52: 0a:37:1a:ef:59:16:48:6a:82:64:f2:d2:7a:36:98:60:8f:4a: 5f:08:07:dd:c0:1a:c3:9d:7c:27:e4:0d:c5:a9:d5:f7:f1:e8: ba:9b:93:af:72:b6:17:8b:48:b0:15:5c:79:aa:13:a2:d4:0f: e3:9a -----BEGIN X509 CRL----- MIIBYTCByzANBgkqhkiG9w0BAQQFADByMQswCQYDVQQGEwJLUjEZMBcGA1UEChMQ U2VjdXJlU29mdCwgSU5DLjEkMCIGA1UEAxMbU2VjdXJlU29mdCBTZWN1cmUgU2Vy dyjjppowugo3gu9zfkhqgmty0no2mgcpsv2zeicgcttxuh158hltlfu279nz7/j4 MvZTI0FFTXFlvZlAo7bxzRDjJsMaGt7tO1c+yc+MbF8IB93AGsOdfCfkDcWp1ffx 6Lqbk69ytheLSLAVXHmqE6LUD+Oa -----END X509 CRL----- Ex. Netscapeinstall DER.
req command EXAMPLES (CSR). openssl req -in req.pem -text -verify noout [nrg:/usr/local/securesoft/ca] openssl req -in req.pem -text -verify -noout Using configuration from /usr/local/ssl/openssl.cnf verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=kr, CN=Jinkyu Kim/Email=jkkim@securesoft.co.kr Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Attributes: Modulus (1024 bit): 00:b2:8d:fa:6d:c4:05:ce:04:a0:8a:3f:18:d9:f5: cf:6c:85:5d:60:3c:39:ab:6a:52:80:86:90:78:1f: c8:28:11:54:75:ac:66:13:9f Exponent: 65537 (0x10001) unstructuredname :1111111 challengepassword :jkkim Signature Algorithm: md5withrsaencryption a5:49:6c:c8:d0:9f:21:1a:fa:43:fe:a0:c3:44:f3:5b:f9:c4: 76:66:53:1c:d7:2a:57:90:b7:0e:28:db:a3:98:62:b3:88:58: 5e:d6:8c:23:0b:9c:89:1a:d9:c5:fe:35:a1:53:67:93:f1:81: fb:cd. : openssl genrsa -out key.pem 1024 [nrg:/usr/local/securesoft/ca] openssl genrsa -out key.pem 1024 Generating RSA private key, 1024 bit long modulus...++++++
...++++++ e is 65537 (0x10001) openssl req -new -key key.pem -out req.pem [nrg:/usr/local/securesoft/ca] openssl req -new -key key.pem -out req.pem Using configuration from /usr/local/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:kr Common Name (eg, YOUR name) []:jkkim Email Address []:jkkim@securesoft.co.kr Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:11111111 An optional company name []:jkkim : openssl req -newkey rsa:1024 -keyout key.pem -out req.pem [nrg:/usr/local/securesoft/ca] openssl req -newkey rsa:1024 -keyout key.pem -out req.pem Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key...++++++...++++++ writing new private key to 'key.pem' Enter PEM pass phrase:11111111 Verifying password - Enter PEM pass phrase: 11111111 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:KR State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:Jinkyu Kim Email Address []:jkkim@securesoft.co.kr Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:11111111 An optional company name []:jkkim (self-signed)root. openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem [nrg:/usr/local/securesoft/ca] openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key...++++++...++++++ writing new private key to 'key.pem' Enter PEM pass phrase:11111111 Verifying password - Enter PEM pass phrase: 11111111 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:kr State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:rootca Email Address []:.. -----BEGIN CERTIFICATE REQUEST----- MIIB3DCCAUUCAQAwazELMAkGA1UEBhMCa3IxDDAKBgNVBAgTAzEyMzEMMAoGA1UE BxMDMTIzMQwwCgYDVQQKEwMxMjMxDDAKBgNVBAsTAzEyMzEMMAoGA1UEAxMDMTIz MRYwFAYJKoZIhvcNAQkBFgcxMjNANDU2MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iqkbgqcwqjsudkdsofbm3teornxt/gmxrcxt6odya6ihllxccz8lwrrlkabfvme9 Oqq7baZDXcK3RaFgsG68XW6WRUmSfJD2GZDDA14nkBf52XxArJqSBf6ZUoQXRQM8 6KhCWaoSVxDN5P/IghC8q89fFoFlBkC9kEcK/iADW2Z0fyaoFwIDAQABoDEwFQYJ KoZIhvcNAQkCMQgTBjEyMzEyMzAYBgkqhkiG9w0BCQcxCxMJMTIzMTIzMTIzMA0G CSqGSIb3DQEBBAUAA4GBAH5RXLEzQj82YeMpzzt3m4zXV+sOSI5nm93bNFUV1Jev p/chsepwr0igan/yiodgbiqujwxfkyv7mjxwehanmti1pigdu2br4x/kxmry3l5h z5dqlslygcgvn/9ezphbddn4nzcisctiwk+od04xaf3ivl+z0jtjdofjsr4fk/zy -----END CERTIFICATE REQUEST----- Headerfooter -----BEGIN NEW CERTIFICATE REQUEST---- -----END NEW CERTIFICATE REQUEST----. (ex. Netscape Certificate Server)