| Previous Post | Top | Next Post |
TOC
I researched on creating self-signed certificates in Privacy-Enhanced Mail (PEM) format for use in testing HTTPS server and RDP connections.
CA certificates
As I checked CA certificates in /etc/ssl/certs for accessing HTTPS (TLS) web pages,
I see Signature Algorithm as:
ecdsa-with-SHA256ecdsa-with-SHA384sha1WithRSAEncryptionsha256WithRSAEncryptionsha384WithRSAEncryptionsha512WithRSAEncryption
Here, I used openssl x509 -in <filename> -noout -text to check content of
certificates.
RSA (2048bit) algorithm
Since sha256WithRSAEncryption is most popular for CA certificates, I tried to
create self-signed one in 3 steps:
- Step 1: create the private key
- Step 2: create the self-signed public certificate
- Step 3: print out the content of the self-signed public certificate
Although many examples on the web use openssl genrsa ..., I used openssl genpkey ... here. This is because openssl-genpkey(1ssl) states
NOTES
The use of the genpkey program is encouraged over the algorithm specific utilities because additional algorithm options and ENGINE provided algorithms can be used.
Step 1 (create private key)
$ openssl genpkey -algorithm rsa -out rsa_private_key.pem
...
This creates key in PKCS #8 format:
$ head -2 rsa_private_key.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpdaNF0FYQbpDh
Step 2 (create public certificate)
$ openssl req -new -key rsa_private_key.pem -x509 -days 3000 -out rsa_public_certificate.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:TOKYO
Locality Name (eg, city) []:TOKYO
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FOOBAR
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:foo@example.org
Alternatively, we can split this step into creating the public key and signing it with private key to create the self-signed certificate as follows:
$ openssl req -new -key rsa_private_key.pem -out rsa_public.pem
...
$ openssl x509 -req -days 3000 -signkey rsa_private_key.pem -in rsa_public.pem -out rsa_public_certificate.pem
Step 3 (print out the certificate in text form)
$ openssl x509 -in rsa_public_certificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
24:eb:e1:75:1e:1f:28:e9:df:51:6e:37:3c:55:2e:7e:ab:4a:1f:d6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = JA, ST = TOKYO, L = TOKYO, O = FOOBAR, emailAddress = foo@example.org
Validity
Not Before: Nov 30 08:49:55 2023 GMT
Not After : Feb 16 08:49:55 2032 GMT
Subject: C = JA, ST = TOKYO, L = TOKYO, O = FOOBAR, emailAddress = foo@example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:75:a3:45:d0:56:10:6e:90:e1:f5:4c:ea:ad:
85:30:46:17:86:fe:bb:fe:24:55:e8:4d:96:ad:f1:
04:7d:60:65:ca:9a:ca:04:7c:db:95:18:64:9a:fd:
c7:c1:6e:a7:0f:ae:f4:a7:95:7a:d8:d1:aa:a5:bd:
32:0f:36:7b:85:da:fc:d5:1f:34:ec:15:fc:78:e6:
89:39:37:57:da:ff:fd:91:fb:e4:21:35:be:43:57:
b6:dd:5e:8c:a3:03:46:0e:c3:69:d4:33:b8:c2:41:
91:ab:36:b3:08:89:aa:91:51:e1:f2:8e:c2:ce:59:
9c:98:ac:bf:50:47:e1:b9:22:37:0a:e6:93:76:ca:
1c:16:23:d8:71:2a:f4:71:e3:99:74:f4:e0:c7:ae:
cc:54:ac:ce:ad:fc:23:c1:c9:db:ca:98:ad:9d:e6:
f3:e0:ab:1a:79:15:d6:ae:e3:9d:99:ba:06:32:20:
8c:f4:b8:5f:00:37:b5:d5:ac:b7:9d:df:d2:6a:24:
73:7d:0c:46:8b:9e:18:c9:c0:47:5a:71:89:81:84:
11:8f:42:e7:b3:9a:a6:9a:ec:a5:17:98:e5:13:b8:
41:00:2a:97:4e:f9:4f:6d:20:59:4d:88:3f:ca:0e:
d3:af:88:c6:40:fc:13:69:61:92:a5:e1:ca:5e:2d:
ab:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:C8:0E:DE:1A:32:75:A8:CD:B6:E2:40:AC:C8:90:2E:68:DA:75:81
X509v3 Authority Key Identifier:
E5:C8:0E:DE:1A:32:75:A8:CD:B6:E2:40:AC:C8:90:2E:68:DA:75:81
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
03:8d:ed:80:42:41:f7:9a:cc:51:da:90:e6:50:e8:af:82:6c:
04:9f:8b:5b:af:24:f5:e3:d5:93:78:63:6d:0e:5b:06:ac:8e:
49:ed:e5:50:b2:da:ca:79:1b:c8:19:8b:ba:1d:1e:ff:b7:55:
d2:4b:29:f2:62:1d:f5:01:46:df:8d:36:28:ae:bb:ef:ef:ef:
1c:76:1f:34:c4:e3:20:29:f5:ea:fc:86:7a:34:57:de:f4:b4:
3e:fd:fd:43:c7:74:04:53:5e:79:e5:f0:81:c3:05:ae:d6:71:
f7:a8:5c:1c:b6:19:19:81:d5:07:0b:69:6a:50:ba:dd:83:cf:
3a:d4:c5:d7:89:04:ea:98:b1:91:60:51:97:a3:cc:8d:10:cd:
3e:47:44:fd:fa:ab:29:a1:dc:40:d6:91:36:48:cd:e2:8f:4c:
76:c2:c3:cd:7a:f5:ac:08:66:b7:3b:ad:86:3b:e0:5f:24:07:
11:46:03:c4:1f:87:5c:cf:18:94:d8:c4:c6:80:7a:ee:a8:57:
c1:ce:45:b9:6c:44:9d:1f:08:3a:27:5f:d5:ec:35:e4:50:cf:
1a:c2:6b:8a:36:2b:f6:6a:af:d8:02:dd:9a:30:fe:5c:c0:5a:
8a:d7:e7:1a:ac:2d:6a:0a:f3:ba:ed:d0:86:25:d7:17:df:cd:
18:8f:78:0c
ED25519 algorithm
Although I don’t see ED25519 is in use for CA certificates, I created
a self-signed certificate using ED25519, here.
Step 1 (create private key)
$ openssl genpkey -algorithm ED25519 -out ed25519_private_key.pem
Step 2 (create public certificate)
$ openssl req -new -key ed25519_private_key.pem -x509 -days 3000 -out ed25519_public_certificate.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JA
State or Province Name (full name) [Some-State]:TOKYO
Locality Name (eg, city) []:TOKYO
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FOOBAR
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:foo@example.org
Step 3 (print out the certificate in text form)
$ openssl x509 -in ed25519_public_certificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:31:a9:bf:79:43:7c:3f:42:72:47:19:14:1d:08:ae:40:58:da:6e
Signature Algorithm: ED25519
Issuer: C = JA, ST = TOKYO, L = TOKYO, O = FOOBAR, emailAddress = foo@example.org
Validity
Not Before: Nov 30 08:52:06 2023 GMT
Not After : Feb 16 08:52:06 2032 GMT
Subject: C = JA, ST = TOKYO, L = TOKYO, O = FOOBAR, emailAddress = foo@example.org
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
ad:67:c6:2b:40:1f:02:ea:36:8c:82:c6:e5:d0:0a:
d7:6e:d5:c1:f5:bb:b1:c9:e2:5a:4a:9f:93:ec:cb:
07:45
X509v3 extensions:
X509v3 Subject Key Identifier:
2F:E0:05:FC:D4:31:D5:43:0C:2C:88:20:D5:1A:37:5E:3A:F7:F5:D1
X509v3 Authority Key Identifier:
2F:E0:05:FC:D4:31:D5:43:0C:2C:88:20:D5:1A:37:5E:3A:F7:F5:D1
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ED25519
Signature Value:
35:e2:d2:44:69:45:eb:70:f1:22:56:a2:07:1c:15:33:7f:8e:
72:a4:4a:9e:ec:ad:57:0c:7d:8c:35:1d:34:b6:7d:c0:49:73:
56:ca:6e:01:4f:1a:39:84:8a:b6:a6:7c:f2:16:62:c8:4d:cc:
9c:16:ce:d8:86:b3:05:74:ce:0f
Comparison of algorithm
ED25519 creates much smaller files.
$ ls -l
-rw------- 1 osamu osamu 119 Nov 30 17:51 ed25519_private_key.pem
-rw-rw-r-- 1 osamu osamu 692 Nov 30 17:52 ed25519_public_certificate.pem
-rw------- 1 osamu osamu 1704 Nov 30 17:48 rsa_private_key.pem
-rw-rw-r-- 1 osamu osamu 1314 Nov 30 17:49 rsa_public_certificate.pem
Notable keywords for PKI
Here are some notable keywords used for public key infrastructure (PKI).
- “Base64” encodes binary data using 64 ASCII characters (
A-Z,a-z,0-9,+,/) and padding=character.- URL and filename safe Base64URL encoding uses
-and_instead of+and/respectively.
- URL and filename safe Base64URL encoding uses
- “Multipurpose Internet Mail Extensions (MIME)” can use base64 as “Content-Transfer-Encoding”.
- “Secure/Multipurpose Internet Mail Extensions (S/MIME)” is a standard for public-key encryption and signing of MIME data.
- “PKCS (Public Key Cryptography Standards)” are a group of public key cryptography standards.
- PKCS #1: RSA cryptography standard (This uses
BEGIN RSA PRIVATE KEYfor private key) – legacy - PKCS #7: cryptographic message syntax standard
- PKCS #8: Private-Key Information Syntax Standard (This uses
BEGIN PRIVATE KEYfor private key) - PKCS #10: certificate signing request standard
- PKCS #11: a platform-independent API standard to cryptographic tokens
- PKCS #12: an archive file format standard for storing many cryptography objects as a single file
- PKCS #1: RSA cryptography standard (This uses
- ASN.1 (Abstract Syntax Notation One)
- “X.509” defines the format of public key certificates used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS.
- “PEM (Privacy-Enhanced Mail)”: ASCII text format storing and sending cryptographic keys, certificates, and other data using base64 encoded data sandwiched between labeled lines.
- “DER (Distinguished Encoding Rules)”: binary format
- PKCS #7: see “What’s the difference between X.509 and PKCS#7 Certificate?”.
| Previous Post | Top | Next Post |