view tls.rst @ 2492:bd3d45148652

Fixed example.
author Oleksandr Gavenko <gavenkoa@gmail.com>
date Sun, 03 Jan 2021 23:37:00 +0200
parents 5bb8692c080a
children 8f83c9cd3059
line wrap: on
line source


==========
 SSL, TLS
==========
.. contents::
   :local:

Generate private keys
=====================

Generate RSA key (last argument is a key bit size)::

  openssl genrsa -des3 -out my.key -passout pass:123456 2048

Generate DSA key::

  openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)

Select DSA curve::

  openssl ecparam -list_curves

Generate a self-signed certificate
==================================

``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
instructs to generate a private key and ``-x509`` instructs to issue a self-signed
certificate instead of a signing request)::

  openssl req -x509 -newkey rsa:4096 \
    -keyout my.key -passout pass:123456 -out my.crt \
    -days 365 \
    -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
    -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
    -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth

You can generate a private key and construct a self-signing certificate in separate steps::

  openssl genrsa -out my.key -passout pass:123456 2048

  openssl req -x509 \
    -key my.key -passin pass:123456 -out my.csr \
    -days 3650 \
    -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
    -addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
    -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth

Review the resulting certificate::

  openssl x509 -text -noout -in my.crt

.. note::
   With ``openssl`` we can add an extra step:

   * generate private key (``openssl genrsa``)
   * generate CSR (``openssl req -new``)
   * sign CSR with private key (``openssl x509``)

   The problem here is that ``openssl x509`` doesn't support ``-addext`` like option so we
   need to craft a config file... Of cause with Bash syntax ``<(...)`` we can add required
   extensions::

     openssl genrsa -out my.key -passout pass:123456 2048

     openssl req -new \
       -key my.key -passin pass:123456 -out my.csr \
       -subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal

     openssl x509 -req \
       -in my.csr -signkey my.key -passin pass:123456 -out my.crt \
       -days 3650 -CAcreateserial \
       -extensions v3_ca \
       -extfile <( \
         echo "[v3_ca]"; \
         echo "extendedKeyUsage=serverAuth"; \
         echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")

Java ``keytool`` creates PKCS#12 store::

  keytool -genkeypair -keystore my.p12 -alias master \
    -storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \
    -storepass 123456 \
    -dname "CN=localhost,O=home,C=US" \
    -ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'

View the keystore::

  keytool -list -v -keystore my.p12 -storepass 123456

To export the self-signed certificate::

  keytool -exportcert -keystore my.p12 -file my.crt \
    -alias master -rfc -storepass 123456

Review the resulting certificate::

  keytool -printcert -file my.crt

https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
  How to create a self-signed certificate with OpenSSL.

Verify self-signed certificate
==============================

Use a private key and corresponding self-signed certificate to launch a server::

  openssl s_server -accept 8000 -www -key my.key -cert my.crt

Clients should use self-signed certificate for verification::

  echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt

  curl -v --cacert my.crt https://localhost:8000

There is no certificate chain so the check is trivial for self-signed certificates...

PKCS#12 stores
==============

PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::

  openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master

Show info about PKCS#12 store::

  openssl pkcs12 -info -in my.p12 -passin pass:123456 -nodes
  keytool -list -v -keystore my.p12 -storepass 123456

To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
PRIVATE KEY``)::

  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes

To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
DSA PRIVATE KEY``)::

  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa

To show private key info::

  openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout

To show certificate info::

  openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
  openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout