OpenSSL Commands

OpenSSL Commands ............................................................................................................................................................................................... 1 

Reading Certificates ........................................................................................................................................................................................................ 2 
PKCS12....................................................................................................................................................................................................................... 2 
PEM/X.509 ................................................................................................................................................................................................................. 4 
Manipulating Certificates................................................................................................................................................................................................ 6 
Extracting Certificates from PKCS#12 Certs ............................................................................................................................................................. 6 
PEM to DER formats .................................................................................................................................................................................................. 6 
Creating Certificates ....................................................................................................................................................................................................... 7 
Creating an RSA certificate – optionally a P12 .......................................................................................................................................................... 7 
Creating a CA Certificate............................................................................................................................................................................................ 8 
Using Attributes for “No Prompting” Creation .......................................................................................................................................................... 8 
Suite B - Special Case of using Elliptical Curves ....................................................................................................................................................... 9 
Simulating Clients and Servers (and getting Certificate Chains) ................................................................................................................................. 10 
Simulate Client – Default EMS Server (tibemsdssl.conf) ........................................................................................................................................ 10 
Simulate Server – HTTP/S default port (443) .......................................................................................................................................................... 10 
Getting Certificates from a Remote Site ................................................................................................................................................................... 11 
Seeing the SSL State ..................................................................................................................................................................................................... 14 
Reading Certificates
PKCS12
C:\OpenSSL\bin>openssl pkcs12 -in alice2.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 70 35 4A E6 37 E6 88 41 DA 29 98 FD 07 65 55 40 35 E2 4D F7
subject=/C=US/ST=CA/O=TIBCO Software Inc./OU=Engineering/CN=alice2/emailAddress=alice@tibco.com
issuer=/C=US/ST=CA/L=Palo Alto/O=TIBCO Software Inc./OU=Engineering/CN=Certificate Authority/emailAddress=cmilono@tibco.com
-----BEGIN CERTIFICATE-----
MIID1TCCAz6gAwIBAgICAXUwDQYJKoZIhvcNAQEFBQAwgaQxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMRwwGgYDVQQKExNUSUJD
TyBTb2Z0d2FyZSBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEeMBwGA1UEAxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MSAwHgYJKoZIhvcNAQkBFhFjbWlsb25vQHRp
YmNvLmNvbTAeFw0wODAyMjcyMjI5MDJaFw0wOTAyMjYyMjI5MDJaMH8xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEcMBoGA1UEChMTVElCQ08gU29mdHdhcmUgSW5j
LjEUMBIGA1UECxMLRW5naW5lZXJpbmcxDzANBgNVBAMTBmFsaWNlMjEeMBwGCSqG
SIb3DQEJARYPYWxpY2VAdGliY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC4o5d+VUdWeFkk6tgLtu5a5a9wzPG1w9CkdwFUdSlNtczfQdYkgfkrrPhO
N+TnqlwcRXvviSx8ep8Z1PfKHz4N/ktO36I9XgZdpvDKCvYQa4Lih2o8SxpOBmJN
Ixi5npwmm3pcsx+040fg2dJSjfIuFwNgCURZP04avqFzaCxe9QIDAQABo4IBODCC
ATQwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBBN5CzMoAOaiHEbguGRctAC8KuEMIHZBgNV
HSMEgdEwgc6AFMfq+FU9e3pRJUUn7Q4Zj1FxugZWoYGqpIGnMIGkMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UEChMT
VElCQ08gU29mdHdhcmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAcBgNV
BAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21pbG9u
b0B0aWJjby5jb22CCQDB9C4RgunqBTANBgkqhkiG9w0BAQUFAAOBgQBsOfZv9oIH
oRjVI2pH2gWK4AwE9fjBfmy0c4jmicKgHS9mXd98K3wm0e2jXgQScZ8a4TrzeThs
eHGfwVRk6wOIz8yTA7HX9tGjvtQ8NQapANQxHNMFo+UIMkTw8ZRIfGx2z7WBWvAI
oTbdFFwC+XL1MoF1FYMGWhUEaDjzr03/yQ==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <No Attributes>
subject=/C=US/ST=CA/L=Palo Alto/O=TIBCO Software Inc./OU=Engineering/CN=Certificate Authority/emailAddress=cmilono@tibco.com
issuer=/C=US/ST=CA/L=Palo Alto/O=TIBCO Software Inc./OU=Engineering/CN=Certificate Authority/emailAddress=cmilono@tibco.com
-----BEGIN CERTIFICATE-----
MIID1zCCA0CgAwIBAgIJAMH0LhGC6eoFMA0GCSqGSIb3DQEBBAUAMIGkMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UE
ChMTVElCQ08gU29mdHdhcmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21p
bG9ub0B0aWJjby5jb20wHhcNMDUwODE2MDAwODI0WhcNMTUwODE0MDAwODI0WjCB
pDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8x
HDAaBgNVBAoTE1RJQkNPIFNvZnR3YXJlIEluYy4xFDASBgNVBAsTC0VuZ2luZWVy
aW5nMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgkqhkiG9w0B
CQEWEWNtaWxvbm9AdGliY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCcp9Q39jgmt0xe97U5GcHjgfpW4ao/osQF0+dXXcnkZd0wQ3my96wPiGSx5Vch
BGOFQQ4wT9LkPIi0wfrcnFz8TSPBKjAMUZU0k0+eoJKJtaa1mssXByua1jUHVyDJ
7RvlwfYUa3oS5NSDUd1muI7Sov90y7IUkA3tbZnSeYf7VwIDAQABo4IBDTCCAQkw
HQYDVR0OBBYEFMfq+FU9e3pRJUUn7Q4Zj1FxugZWMIHZBgNVHSMEgdEwgc6AFMfq
+FU9e3pRJUUn7Q4Zj1FxugZWoYGqpIGnMIGkMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UEChMTVElCQ08gU29mdHdh
cmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAcBgNVBAMTFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21pbG9ub0B0aWJjby5jb22C
CQDB9C4RgunqBTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAJgjqVTY
HTjqCFGd66pgbZKKo7yydGtQPPyd7Xnr6kYkHxaNCUWnMoJAOf6tsuBaSsdM2PWk
2rKxGSkWlsOy8lQz9oNngYLq3Q47d7amUI596Zl/f0vyE3ba9YI18qBuf3aWuebK
kC9gCNcFmU6iKkxZqMgqY3IXoBnH3XLa85MQ
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
localKeyID: 70 35 4A E6 37 E6 88 41 DA 29 98 FD 07 65 55 40 35 E2 4D F7
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,40A7A23A6852782F

ZXq1LyVsLTK2a7s/7vGlbxiFKl6F9GTk265wMFfc/68iY3OB/vrXXKwf7aCZHyix
kSQXt3zmkpdrVdvQ6z0hSakKRby1JCWyTqdr93LZLDaSp6s4L9Fj1WyJkYVPu0DF
tPjbPSNZTW2OGnOybPHtoUoeuC1hp+AMC/jevbUdz95Kf+4z6KKRbIBEdKVb2cVb
C0D0CMkoj8bS749ki8iLXxdLtOxCFPIb8h7eCTBVEjUuKvGmsU3lFGf6ovbsRNvc
VfvPVVSFmHF24ZKW8vFasYnimc2H52ZyLbohRtsncSaVFX1jWSZWQ+tbPuxwcnwh
ZNvJ//kGdphG/qH53fv4LjA8MLzdZp15+ce9EnGc/MJika6YaonkQVqYfDfG1l9E
b5+oEnoLabjSQ/Dg8sRsOd6MeDYCzufqs7NIpaLGMLkfjYErlnr/9d97t18AVYrM
YqctFDBjFhEDxUUAVU7FgntqUcPiqOAAsojsBwGWyrIR+tbSsS+LNUkoib88hFSz
d35tO6pJbhjZuOEJeh0ljwcBO018UFalZKKAMVnl3N6uQCz5EuxMut8PzMux7JTJ
SN7foZqXprFu0NreqR9BKLbiNZnVkV4ouymVjCWGLb4hx4yuKqHhJep7yslfRS+O
4pvW8JdNKjMb7A9goD4jQyWmT2+caIz3NtQLptZuUW4ZvqhGsctCapmngOZ+03/b
Fb0cm512S/bV5WQN6zmYem29FMtNOsZra9udSbbm9pzfb6wuhbn/rRuN3VaXcTcJ
l3GrVSChVbjpIwwnbmgQx7H0euKd6asTqWfI54Fujocn4Y4bzfCuFg==
-----END RSA PRIVATE KEY-----

PEM/X.509
C:\OpenSSL\bin>openssl x509 -in alice2-cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 373 (0x175)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Palo Alto, O=TIBCO Software Inc., OU=Engineering, CN=Certificate
Authority/emailAddress=cmilono@tibco.com
Validity
Not Before: Feb 27 22:29:02 2008 GMT
Not After : Feb 26 22:29:02 2009 GMT
Subject: C=US, ST=CA, O=TIBCO Software Inc., OU=Engineering, CN=alice2/emailAddress=alice@tibco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:a3:97:7e:55:47:56:78:59:24:ea:d8:0b:b6:
ee:5a:e5:af:70:cc:f1:b5:c3:d0:a4:77:01:54:75:
29:4d:b5:cc:df:41:d6:24:81:f9:2b:ac:f8:4e:37:
e4:e7:aa:5c:1c:45:7b:ef:89:2c:7c:7a:9f:19:d4:
f7:ca:1f:3e:0d:fe:4b:4e:df:a2:3d:5e:06:5d:a6:
f0:ca:0a:f6:10:6b:82:e2:87:6a:3c:4b:1a:4e:06:
62:4d:23:18:b9:9e:9c:26:9b:7a:5c:b3:1f:b4:e3:
47:e0:d9:d2:52:8d:f2:2e:17:03:60:09:44:59:3f:
4e:1a:be:a1:73:68:2c:5e:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
 CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:4D:E4:2C:CC:A0:03:9A:88:71:1B:82:E1:91:72:D0:02:F0:AB:84
X509v3 Authority Key Identifier:
keyid:C7:EA:F8:55:3D:7B:7A:51:25:45:27:ED:0E:19:8F:51:71:BA:06:56
DirName:/C=US/ST=CA/L=Palo Alto/O=TIBCO Software Inc./OU=Engineering/CN=Certificate
Authority/emailAddress=cmilono@tibco.com
serial:C1:F4:2E:11:82:E9:EA:05

Signature Algorithm: sha1WithRSAEncryption

6c:39:f6:6f:f6:82:07:a1:18:d5:23:6a:47:da:05:8a:e0:0c:
04:f5:f8:c1:7e:6c:b4:73:88:e6:89:c2:a0:1d:2f:66:5d:df:
7c:2b:7c:26:d1:ed:a3:5e:04:12:71:9f:1a:e1:3a:f3:79:38:
6c:78:71:9f:c1:54:64:eb:03:88:cf:cc:93:03:b1:d7:f6:d1:
a3:be:d4:3c:35:06:a9:00:d4:31:1c:d3:05:a3:e5:08:32:44:
f0:f1:94:48:7c:6c:76:cf:b5:81:5a:f0:08:a1:36:dd:14:5c:
02:f9:72:f5:32:81:75:15:83:06:5a:15:04:68:38:f3:af:4d:
ff:c9
-----BEGIN CERTIFICATE-----
MIID1TCCAz6gAwIBAgICAXUwDQYJKoZIhvcNAQEFBQAwgaQxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMRwwGgYDVQQKExNUSUJD
TyBTb2Z0d2FyZSBJbmMuMRQwEgYDVQQLEwtFbmdpbmVlcmluZzEeMBwGA1UEAxMV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MSAwHgYJKoZIhvcNAQkBFhFjbWlsb25vQHRp
YmNvLmNvbTAeFw0wODAyMjcyMjI5MDJaFw0wOTAyMjYyMjI5MDJaMH8xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEcMBoGA1UEChMTVElCQ08gU29mdHdhcmUgSW5j
LjEUMBIGA1UECxMLRW5naW5lZXJpbmcxDzANBgNVBAMTBmFsaWNlMjEeMBwGCSqG
SIb3DQEJARYPYWxpY2VAdGliY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC4o5d+VUdWeFkk6tgLtu5a5a9wzPG1w9CkdwFUdSlNtczfQdYkgfkrrPhO
N+TnqlwcRXvviSx8ep8Z1PfKHz4N/ktO36I9XgZdpvDKCvYQa4Lih2o8SxpOBmJN
Ixi5npwmm3pcsx+040fg2dJSjfIuFwNgCURZP04avqFzaCxe9QIDAQABo4IBODCC
ATQwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBBN5CzMoAOaiHEbguGRctAC8KuEMIHZBgNV
HSMEgdEwgc6AFMfq+FU9e3pRJUUn7Q4Zj1FxugZWoYGqpIGnMIGkMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UEChMT
VElCQ08gU29mdHdhcmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAcBgNV
BAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21pbG9u
b0B0aWJjby5jb22CCQDB9C4RgunqBTANBgkqhkiG9w0BAQUFAAOBgQBsOfZv9oIH
oRjVI2pH2gWK4AwE9fjBfmy0c4jmicKgHS9mXd98K3wm0e2jXgQScZ8a4TrzeThs
eHGfwVRk6wOIz8yTA7HX9tGjvtQ8NQapANQxHNMFo+UIMkTw8ZRIfGx2z7WBWvAI
oTbdFFwC+XL1MoF1FYMGWhUEaDjzr03/yQ==
-----END CERTIFICATE-----

Manipulating Certificates
Extracting Certificates from PKCS#12 Certs
These commands, in a batch/shell mode, will take a single P12 cert as input and output the certificate, CA certs, the Private Key, and it will convert
the private key into a PKCS#8 format.

openssl pkcs12 -in Alice.p12 -nocerts -out Alicekey.pem -passin env:PASS -passout env:PASS
openssl pkcs12 -in Alice.p12 -clcerts -nokeys -out Alicecert.pem -passin env:PASS -passout env:PASS
openssl pkcs12 -in Alice.p12 -cacerts -out Alicetrust.pem -passin env:PASS -passout env:PASS
openssl pkcs8 -topk8 -inform PEM -outform PEM -in Alicekey.pem -out Alicekey.p8 -passin env:PASS -
passout env:PASS

PEM to DER formats

There are two main styles of encoding – PEM (Privacy Enhanced Mail) and DER (Distinguished Encoding Rules), where PEM is an ASCII format of
DER with headers and DER is a binary format that is a subset of BER (Basic Encoding Rules).

C:\OpenSSL\bin>type Pem2Der.bat
set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
C:\OpenSSL\bin>type cacert.der
☺☺♦♣ 0üú1♂0 ♠♥U♦♠‼☻US1♂0 ♠♥‼☻CA1↕0►♠♥U♦‼ Palo Alto1∟0
C:\OpenSSL\bin>type cacert.pem
-----BEGIN CERTIFICATE-----
MIID1zCCA0CgAwIBAgIJAMH0LhGC6eoFMA0GCSqGSIb3DQEBBAUAMIGkMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UE
ChMTVElCQ08gU29mdHdhcmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21p
bG9ub0B0aWJjby5jb20wHhcNMDUwODE2MDAwODI0WhcNMTUwODE0MDAwODI0WjCB
pDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8x
HDAaBgNVBAoTE1RJQkNPIFNvZnR3YXJlIEluYy4xFDASBgNVBAsTC0VuZ2luZWVy
aW5nMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgkqhkiG9w0B
CQEWEWNtaWxvbm9AdGliY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCcp9Q39jgmt0xe97U5GcHjgfpW4ao/osQF0+dXXcnkZd0wQ3my96wPiGSx5Vch
BGOFQQ4wT9LkPIi0wfrcnFz8TSPBKjAMUZU0k0+eoJKJtaa1mssXByua1jUHVyDJ
7RvlwfYUa3oS5NSDUd1muI7Sov90y7IUkA3tbZnSeYf7VwIDAQABo4IBDTCCAQkw
HQYDVR0OBBYEFMfq+FU9e3pRJUUn7Q4Zj1FxugZWMIHZBgNVHSMEgdEwgc6AFMfq
+FU9e3pRJUUn7Q4Zj1FxugZWoYGqpIGnMIGkMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UEChMTVElCQ08gU29mdHdh
cmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAcBgNVBAMTFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21pbG9ub0B0aWJjby5jb22C
CQDB9C4RgunqBTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAJgjqVTY
HTjqCFGd66pgbZKKo7yydGtQPPyd7Xnr6kYkHxaNCUWnMoJAOf6tsuBaSsdM2PWk
2rKxGSkWlsOy8lQz9oNngYLq3Q47d7amUI596Zl/f0vyE3ba9YI18qBuf3aWuebK
kC9gCNcFmU6iKkxZqMgqY3IXoBnH3XLa85MQ
-----END CERTIFICATE-----

Creating Certificates
Creating an RSA certificate – optionally a P12
These commands, in a batch/shell mode, will create a new Certificate Signing Request with a Private RSA-style key of 1024 bits signed with SHA1
algorithm with an output in PEM form. The CA will then sign the request with SHA1 and return a PEM formatted X.509 certificate. Optionally, we
can make a PKCS#12 certificate that will include the client certificate, the CA certificate (chain), and the client private key which will be encrypted
with the AES-128 cipher.

C:\OpenSSL\bin>type MakeRSACert12.bat
set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf
openssl req -newkey rsa:1024 -sha1 -keyout Key.pem -keyform PEM -out Req.pem -outform PEM
openssl rsa –in Key.pem –aes128 –out Key-enc.pem
openssl ca -md sha1 -in Req.pem -out Cert.pem

ren Key-enc.pem %1-key.pem

ren Cert.pem %1-cert.pem
openssl pkcs12 -aes128 -chain -export -in %1-cert.pem -out %1-cert.p12 -inkey %1-key.pem -CAfile
cacert.pem
Creating a CA Certificate
C:\OpenSSL\bin>type createCA.bat
set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf
openssl req -x509 -newkey rsa:4096 -out cacert-new.pem -outform PEM -days 3650

Using Attributes for “No Prompting” Creation

The following will obtain relevant parameters from a file specified by the “-config” parameter (e.g., attributes.txt) and get passwords from the
Environment Variable “PASS” and drive this process with “-batch”.

REM make a request for 1024-bit RSA signed by SHA1 using inputs from attributes.txt - no prompting
openssl req -newkey rsa:1024 -sha1 -keyout Key.pem -keyform PEM -out Req.pem -outform PEM -config attributes.txt -batch -verbose

REM sign the request

openssl ca -md sha1 -in Req.pem -out Cert.pem -key password -batch

REM make the certificate into PKCS#12 format with the full chain using Priv Key and Export passwords assigned to env var $PASS or
%PASS%
openssl pkcs12 -aes128 -chain -export -in Cert.pem -out Cert.p12 -inkey Key.pem -CAfile cacert.pem -name "WooHoo" -passin env:PASS -
passout env:PASS

Here is what is placed in the “attributes.txt” file:

[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = password
[ req_distinguished_name ]
C = US
ST = CA
L = Palo Alto
O = TIBCO Software Inc.
OU = Engineering
CN = Anyone
emailAddress = anonymous@tibco.com
[ req_attributes ]
challengePassword = password

Suite B - Special Case of using Elliptical Curves

The US Government has implemented a specification called Suite B. This suite mandates that the underlying crypto provider support FIPS 140-2 for
the initialization and conditioning of the library’s behavior; it also calls for FIPS 197 ciphers (AES), has different labels/requirements for “Secret”
and “Top Secret” and – it mandates very specific algorithms called Elliptical Curve Algorithms (EC or ECC). These can be found in EC
implementations of the Diffie-Hellman Key exchange, in Digital Signatures, and in TLS Algorithms. One specific customer has requested that the
curves be Prime-based (as opposed to binary) and have a strength of 384-bits. This seems to imply the Object Identifier (OID) of secp384r1 which
has the curve name of “NIST/SECG curve over a 384 bit prime field” and would result in requiring the following TLS ciphers:

• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

The EC algorithms are patented by a company called Certicom (http://www.certicom.com) and have to be licensed. As of September 2008, none of
the crypto providers that TIBCO uses have all of these algorithms; Entrust has most of them, but not ECDH, which is required. The license may be
obtained from NSA. OpenSSL supports these algorithms, so you can build a version of OpenSSL and ‘play around’ with OpenSSL-to-OpenSSL
based solutions, but we aren’t licensed to distribute it with these algorithms. Java 1.6 has NSS (Mozilla’s Network Security Services) which *may*
support EC if built correctly; from early testing, it isn’t clear whether their support is complete or incomplete or whether the issue sits with TIBCO
interfaces requiring supporting changes.

Using any of these algorithms requires a certificate that is built with an Elliptical Curve Private Key. Looking at the above TLS ciphers, the first two
use EC with Digital Signature Algorithm as the CA signing method, while the latter two use RSA to sign the key.

To build an EC certificate, you can use the following commands:

openssl ecparam –out myECkey.pem –name secp384r1 –genkey

openssl req –new –key myECkey.pem –out req.out
…then, depending on use cases, the request is processed like any other CSR, but keeping in mind its use (RSA vs. DSA).

Simulating Clients and Servers (and getting Certificate Chains)

Simulate Client – Default EMS Server (tibemsdssl.conf)

C:\OpenSSL\bin>openssl s_client -connect localhost:7243 -cert \tibco\ems\bin\certs\client.cert.pem -key client.key.pem -debug

Enter pass phrase for client.key.pem:
Loading 'screen' into random state - done
CONNECTED(0000077C)
write to 0xa3f920 [0xa41208] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 b0 54 a2 e9 .............T..
0060 - cb e4 7d 03 eb 54 8a a4-ff 94 c7 4c ba ec 11 e9 ..}..T.....L....
0070 - ac 3a ae fd 1b e8 21 58-98 82 3d 22 .:....!X..="
read from 0xa3f920 [0xa46768] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02 ....J.
0007 - <SPACES/NULS>

<stuff deleted>
Note: you can also specify a cipher (or more with a list) by having another parameter “–cipher” – for example (-cipher RC4-MD5)

Simulate Server – HTTP/S default port (443)

C:\OpenSSL\bin>openssl s_server -accept 443 -cert \tibco\ems\bin\certs\client.cert.pem -key \tibco\ems\bin\certs\client.key.pem -
debug
Enter pass phrase for \tibco\ems\bin\certs\client.key.pem:
Loading 'screen' into random state - done
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
<stuff deleted>
-----END SSL SESSION PARAMETERS-----
Shared ciphers:RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA
CIPHER is RC4-MD5
<more stuff deleted>
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint
t, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR
3.0.04506.30; Zune
Host: localhost
Connection: Keep-Alive

Getting Certificates from a Remote Site

Same command as a Client, but with “-showcerts”. Note: the EMS server is configured only with “ssl_server_identity”, not “ssl_server_issuer”, so
we only get the certificate of “server.cert.pem”:

C:\OpenSSL\bin>openssl s_client -connect localhost:7243 -cert \tibco\ems\bin\certs\client.cert.pem -key client.key.pem -debug –

showcerts

<stuff deleted>
Certificate chain
0 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
-----BEGIN CERTIFICATE-----
MIICMzCCAd0CAQEwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxU
ZXN0IENvbXBhbnkxGTAXBgNVBAsUEHNlcnZlcl9yb290IFVuaXQxFDASBgNVBAMU
C3NlcnZlcl9yb290MSowKAYJKoZIhvcNAQkBFhtzZXJ2ZXJfcm9vdEB0ZXN0Y29t
cGFueS5jb20wHhcNMDMwNDI0MjE0NDIxWhcNMTMwNDIxMjE0NDIxWjCBnDELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVuZ2xp
c2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLc2VydmVyIFVuaXQx
DzANBgNVBAMTBnNlcnZlcjElMCMGCSqGSIb3DQEJARYWc2VydmVyQHRlc3Rjb21w
YW55LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDMnvRz/qoLh/fA1FPZzlXJ
56tx2SKBy6Qkwv8NMOqnKR0Iws8WItzv/NCyD5rn66QiiSCIUIGwOWFL/tkpsMu/
AgMBAAEwDQYJKoZIhvcNAQEEBQADQQBEGSfKhbQ2o7bDrZjx5x5UVTd0GfWFVP2z
73UiCFyaPQElhm9pVFIFXGAALDJg20X7K2Vh1LvB/2rgzHsONCp8
-----END CERTIFICATE-----

The Certificate shown is the same as \tibco\ems\bin\certs\server.cert.pem

When we modify the EMS server to expose its CA, we get the following:

Certificate chain
0 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
-----BEGIN CERTIFICATE-----
MIICMzCCAd0CAQEwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxU This is the Server’s Certificate –
ZXN0IENvbXBhbnkxGTAXBgNVBAsUEHNlcnZlcl9yb290IFVuaXQxFDASBgNVBAMU certificate 0 of the chain.
C3NlcnZlcl9yb290MSowKAYJKoZIhvcNAQkBFhtzZXJ2ZXJfcm9vdEB0ZXN0Y29t
cGFueS5jb20wHhcNMDMwNDI0MjE0NDIxWhcNMTMwNDIxMjE0NDIxWjCBnDELMAkG
Subject (s): OU=server
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVuZ2xp Issuer (i): OU=server_root
c2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLc2VydmVyIFVuaXQx
DzANBgNVBAMTBnNlcnZlcjElMCMGCSqGSIb3DQEJARYWc2VydmVyQHRlc3Rjb21w
YW55LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDMnvRz/qoLh/fA1FPZzlXJ
56tx2SKBy6Qkwv8NMOqnKR0Iws8WItzv/NCyD5rn66QiiSCIUIGwOWFL/tkpsMu/
AgMBAAEwDQYJKoZIhvcNAQEEBQADQQBEGSfKhbQ2o7bDrZjx5x5UVTd0GfWFVP2z
73UiCFyaPQElhm9pVFIFXGAALDJg20X7K2Vh1LvB/2rgzHsONCp8
-----END CERTIFICATE-----

1 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com

i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
-----BEGIN CERTIFICATE-----
MIICWTCCAgOgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVuZ2xpc2gxFTATBgNV This is the CA’s Certificate that signed
BAoTDFRlc3QgQ29tcGFueTEZMBcGA1UECxQQc2VydmVyX3Jvb3QgVW5pdDEUMBIG the Servers Certificate – certificate 1 of
A1UEAxQLc2VydmVyX3Jvb3QxKjAoBgkqhkiG9w0BCQEWG3NlcnZlcl9yb290QHRl the chain.
c3Rjb21wYW55LmNvbTAeFw0wMzA0MjQyMTQ0MjFaFw0xMzA0MjEyMTQ0MjFaMIGr
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKdXMt Subject (s): OU=server_root
ZW5nbGlzaDEVMBMGA1UEChMMVGVzdCBDb21wYW55MRkwFwYDVQQLFBBzZXJ2ZXJf Issuer (i): OU=server_root
cm9vdCBVbml0MRQwEgYDVQQDFAtzZXJ2ZXJfcm9vdDEqMCgGCSqGSIb3DQEJARYb
c2VydmVyX3Jvb3RAdGVzdGNvbXBhbnkuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAw
SAJBANPPsIo1YAg4aQFAWFo6CkPn3okjjMW7nnU9+gTv5No76iGkpN4ZH8Q1GLZi NOTE: Subject and Issuer have the same
identity; this is what is called a self-
signed certificate.
XH4m2yfEvhXYnTgqBHw0DnKZkiECAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQQFAANBALVAe2wN7ft5VcQvMmDnyTFl0EEf84OxVrewW8oVC5WEqib8
U2xPZBCfoEcLi5dzgFHXBpwgiTIwg/nPLjS77/w=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
issuer=/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
---
Acceptable client certificate CA names
/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@testcompany.com
---
SSL handshake has read 1523 bytes and written 915 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: E8A958C44ED4F8B51E912AF251267698618B3A7A6E4774FC170B0AE1285F4A99
Session-ID-ctx:
Master-Key: 7BE50687EB5971E6E0AC2355003E341EE887C0B21EB200C997738CEA5E7919F0FCC8507F8A723DA32965A85DFFAA03AD
Key-Arg : None
Start Time: 1204764263
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

Note the bolded entries: s = subject which is the equivalent to the Common Name (CN). The entry in italics and the bold “s” above it indicate that
this is the CA with its CN=server_root.
Seeing the SSL State
CLIENT Directionality SERVER
1. Client Hello
2. Server hello
3. Certificate
4. Certificate Request
5. Server Key Exchange
6. Server hello done
7. Certificate
8. Client Key Exchange
9. Certificate Verify
10. Change cipher spec
11. Finished
12. Change cipher spec
13. Finished
14. Encrypted Data 14. Encrypted Data

C:\OpenSSL\bin>openssl s_client -connect localhost:7243 -cert \tibco\ems\bin\certs\client.cert.pem -key

\tibco\ems\bin\certs\client.key.pem -state
Enter pass phrase for \tibco\ems\bin\certs\client.key.pem:
Loading 'screen' into random state - done
CONNECTED(0000077C)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
1 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
---
Server certificate
-----BEGIN CERTIFICATE-----