Академический Документы
Профессиональный Документы
Культура Документы
OpenSSL Commands
ZXq1LyVsLTK2a7s/7vGlbxiFKl6F9GTk265wMFfc/68iY3OB/vrXXKwf7aCZHyix
kSQXt3zmkpdrVdvQ6z0hSakKRby1JCWyTqdr93LZLDaSp6s4L9Fj1WyJkYVPu0DF
tPjbPSNZTW2OGnOybPHtoUoeuC1hp+AMC/jevbUdz95Kf+4z6KKRbIBEdKVb2cVb
C0D0CMkoj8bS749ki8iLXxdLtOxCFPIb8h7eCTBVEjUuKvGmsU3lFGf6ovbsRNvc
VfvPVVSFmHF24ZKW8vFasYnimc2H52ZyLbohRtsncSaVFX1jWSZWQ+tbPuxwcnwh
ZNvJ//kGdphG/qH53fv4LjA8MLzdZp15+ce9EnGc/MJika6YaonkQVqYfDfG1l9E
b5+oEnoLabjSQ/Dg8sRsOd6MeDYCzufqs7NIpaLGMLkfjYErlnr/9d97t18AVYrM
YqctFDBjFhEDxUUAVU7FgntqUcPiqOAAsojsBwGWyrIR+tbSsS+LNUkoib88hFSz
d35tO6pJbhjZuOEJeh0ljwcBO018UFalZKKAMVnl3N6uQCz5EuxMut8PzMux7JTJ
SN7foZqXprFu0NreqR9BKLbiNZnVkV4ouymVjCWGLb4hx4yuKqHhJep7yslfRS+O
4pvW8JdNKjMb7A9goD4jQyWmT2+caIz3NtQLptZuUW4ZvqhGsctCapmngOZ+03/b
Fb0cm512S/bV5WQN6zmYem29FMtNOsZra9udSbbm9pzfb6wuhbn/rRuN3VaXcTcJ
l3GrVSChVbjpIwwnbmgQx7H0euKd6asTqWfI54Fujocn4Y4bzfCuFg==
-----END RSA PRIVATE KEY-----
PEM/X.509
C:\OpenSSL\bin>openssl x509 -in alice2-cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 373 (0x175)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Palo Alto, O=TIBCO Software Inc., OU=Engineering, CN=Certificate
Authority/emailAddress=cmilono@tibco.com
Validity
Not Before: Feb 27 22:29:02 2008 GMT
Not After : Feb 26 22:29:02 2009 GMT
Subject: C=US, ST=CA, O=TIBCO Software Inc., OU=Engineering, CN=alice2/emailAddress=alice@tibco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b8:a3:97:7e:55:47:56:78:59:24:ea:d8:0b:b6:
ee:5a:e5:af:70:cc:f1:b5:c3:d0:a4:77:01:54:75:
29:4d:b5:cc:df:41:d6:24:81:f9:2b:ac:f8:4e:37:
e4:e7:aa:5c:1c:45:7b:ef:89:2c:7c:7a:9f:19:d4:
f7:ca:1f:3e:0d:fe:4b:4e:df:a2:3d:5e:06:5d:a6:
f0:ca:0a:f6:10:6b:82:e2:87:6a:3c:4b:1a:4e:06:
62:4d:23:18:b9:9e:9c:26:9b:7a:5c:b3:1f:b4:e3:
47:e0:d9:d2:52:8d:f2:2e:17:03:60:09:44:59:3f:
4e:1a:be:a1:73:68:2c:5e:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:4D:E4:2C:CC:A0:03:9A:88:71:1B:82:E1:91:72:D0:02:F0:AB:84
X509v3 Authority Key Identifier:
keyid:C7:EA:F8:55:3D:7B:7A:51:25:45:27:ED:0E:19:8F:51:71:BA:06:56
DirName:/C=US/ST=CA/L=Palo Alto/O=TIBCO Software Inc./OU=Engineering/CN=Certificate
Authority/emailAddress=cmilono@tibco.com
serial:C1:F4:2E:11:82:E9:EA:05
Manipulating Certificates
Extracting Certificates from PKCS#12 Certs
These commands, in a batch/shell mode, will take a single P12 cert as input and output the certificate, CA certs, the Private Key, and it will convert
the private key into a PKCS#8 format.
openssl pkcs12 -in Alice.p12 -nocerts -out Alicekey.pem -passin env:PASS -passout env:PASS
openssl pkcs12 -in Alice.p12 -clcerts -nokeys -out Alicecert.pem -passin env:PASS -passout env:PASS
openssl pkcs12 -in Alice.p12 -cacerts -out Alicetrust.pem -passin env:PASS -passout env:PASS
openssl pkcs8 -topk8 -inform PEM -outform PEM -in Alicekey.pem -out Alicekey.p8 -passin env:PASS -
passout env:PASS
C:\OpenSSL\bin>type Pem2Der.bat
set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf
openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
C:\OpenSSL\bin>type cacert.der
☺☺♦♣ 0üú1♂0 ♠♥U♦♠‼☻US1♂0 ♠♥‼☻CA1↕0►♠♥U♦‼ Palo Alto1∟0
C:\OpenSSL\bin>type cacert.pem
-----BEGIN CERTIFICATE-----
MIID1zCCA0CgAwIBAgIJAMH0LhGC6eoFMA0GCSqGSIb3DQEBBAUAMIGkMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UE
ChMTVElCQ08gU29mdHdhcmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21p
bG9ub0B0aWJjby5jb20wHhcNMDUwODE2MDAwODI0WhcNMTUwODE0MDAwODI0WjCB
pDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8x
HDAaBgNVBAoTE1RJQkNPIFNvZnR3YXJlIEluYy4xFDASBgNVBAsTC0VuZ2luZWVy
aW5nMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIDAeBgkqhkiG9w0B
CQEWEWNtaWxvbm9AdGliY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCcp9Q39jgmt0xe97U5GcHjgfpW4ao/osQF0+dXXcnkZd0wQ3my96wPiGSx5Vch
BGOFQQ4wT9LkPIi0wfrcnFz8TSPBKjAMUZU0k0+eoJKJtaa1mssXByua1jUHVyDJ
7RvlwfYUa3oS5NSDUd1muI7Sov90y7IUkA3tbZnSeYf7VwIDAQABo4IBDTCCAQkw
HQYDVR0OBBYEFMfq+FU9e3pRJUUn7Q4Zj1FxugZWMIHZBgNVHSMEgdEwgc6AFMfq
+FU9e3pRJUUn7Q4Zj1FxugZWoYGqpIGnMIGkMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEcMBoGA1UEChMTVElCQ08gU29mdHdh
cmUgSW5jLjEUMBIGA1UECxMLRW5naW5lZXJpbmcxHjAcBgNVBAMTFUNlcnRpZmlj
YXRlIEF1dGhvcml0eTEgMB4GCSqGSIb3DQEJARYRY21pbG9ub0B0aWJjby5jb22C
CQDB9C4RgunqBTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAJgjqVTY
HTjqCFGd66pgbZKKo7yydGtQPPyd7Xnr6kYkHxaNCUWnMoJAOf6tsuBaSsdM2PWk
2rKxGSkWlsOy8lQz9oNngYLq3Q47d7amUI596Zl/f0vyE3ba9YI18qBuf3aWuebK
kC9gCNcFmU6iKkxZqMgqY3IXoBnH3XLa85MQ
-----END CERTIFICATE-----
Creating Certificates
Creating an RSA certificate – optionally a P12
These commands, in a batch/shell mode, will create a new Certificate Signing Request with a Private RSA-style key of 1024 bits signed with SHA1
algorithm with an output in PEM form. The CA will then sign the request with SHA1 and return a PEM formatted X.509 certificate. Optionally, we
can make a PKCS#12 certificate that will include the client certificate, the CA certificate (chain), and the client private key which will be encrypted
with the AES-128 cipher.
C:\OpenSSL\bin>type MakeRSACert12.bat
set OPENSSL_CONF=C:\OpenSSL\bin\OpenSSL.cnf
openssl req -newkey rsa:1024 -sha1 -keyout Key.pem -keyform PEM -out Req.pem -outform PEM
openssl rsa –in Key.pem –aes128 –out Key-enc.pem
openssl ca -md sha1 -in Req.pem -out Cert.pem
REM make a request for 1024-bit RSA signed by SHA1 using inputs from attributes.txt - no prompting
openssl req -newkey rsa:1024 -sha1 -keyout Key.pem -keyform PEM -out Req.pem -outform PEM -config attributes.txt -batch -verbose
REM make the certificate into PKCS#12 format with the full chain using Priv Key and Export passwords assigned to env var $PASS or
%PASS%
openssl pkcs12 -aes128 -chain -export -in Cert.pem -out Cert.p12 -inkey Key.pem -CAfile cacert.pem -name "WooHoo" -passin env:PASS -
passout env:PASS
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = password
[ req_distinguished_name ]
C = US
ST = CA
L = Palo Alto
O = TIBCO Software Inc.
OU = Engineering
CN = Anyone
emailAddress = anonymous@tibco.com
[ req_attributes ]
challengePassword = password
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
The EC algorithms are patented by a company called Certicom (http://www.certicom.com) and have to be licensed. As of September 2008, none of
the crypto providers that TIBCO uses have all of these algorithms; Entrust has most of them, but not ECDH, which is required. The license may be
obtained from NSA. OpenSSL supports these algorithms, so you can build a version of OpenSSL and ‘play around’ with OpenSSL-to-OpenSSL
based solutions, but we aren’t licensed to distribute it with these algorithms. Java 1.6 has NSS (Mozilla’s Network Security Services) which *may*
support EC if built correctly; from early testing, it isn’t clear whether their support is complete or incomplete or whether the issue sits with TIBCO
interfaces requiring supporting changes.
Using any of these algorithms requires a certificate that is built with an Elliptical Curve Private Key. Looking at the above TLS ciphers, the first two
use EC with Digital Signature Algorithm as the CA signing method, while the latter two use RSA to sign the key.
<stuff deleted>
Note: you can also specify a cipher (or more with a list) by having another parameter “–cipher” – for example (-cipher RC4-MD5)
<stuff deleted>
Certificate chain
0 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
-----BEGIN CERTIFICATE-----
MIICMzCCAd0CAQEwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxU
ZXN0IENvbXBhbnkxGTAXBgNVBAsUEHNlcnZlcl9yb290IFVuaXQxFDASBgNVBAMU
C3NlcnZlcl9yb290MSowKAYJKoZIhvcNAQkBFhtzZXJ2ZXJfcm9vdEB0ZXN0Y29t
cGFueS5jb20wHhcNMDMwNDI0MjE0NDIxWhcNMTMwNDIxMjE0NDIxWjCBnDELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVuZ2xp
c2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLc2VydmVyIFVuaXQx
DzANBgNVBAMTBnNlcnZlcjElMCMGCSqGSIb3DQEJARYWc2VydmVyQHRlc3Rjb21w
YW55LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDMnvRz/qoLh/fA1FPZzlXJ
56tx2SKBy6Qkwv8NMOqnKR0Iws8WItzv/NCyD5rn66QiiSCIUIGwOWFL/tkpsMu/
AgMBAAEwDQYJKoZIhvcNAQEEBQADQQBEGSfKhbQ2o7bDrZjx5x5UVTd0GfWFVP2z
73UiCFyaPQElhm9pVFIFXGAALDJg20X7K2Vh1LvB/2rgzHsONCp8
-----END CERTIFICATE-----
When we modify the EMS server to expose its CA, we get the following:
Certificate chain
0 s:/C=US/ST=California/L=us-english/O=Test Company/OU=server Unit/CN=server/emailAddress=server@testcompany.com
i:/C=US/ST=California/L=us-english/O=Test Company/OU=server_root Unit/CN=server_root/emailAddress=server_root@testcompany.com
-----BEGIN CERTIFICATE-----
MIICMzCCAd0CAQEwDQYJKoZIhvcNAQEEBQAwgasxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwp1cy1lbmdsaXNoMRUwEwYDVQQKEwxU This is the Server’s Certificate –
ZXN0IENvbXBhbnkxGTAXBgNVBAsUEHNlcnZlcl9yb290IFVuaXQxFDASBgNVBAMU certificate 0 of the chain.
C3NlcnZlcl9yb290MSowKAYJKoZIhvcNAQkBFhtzZXJ2ZXJfcm9vdEB0ZXN0Y29t
cGFueS5jb20wHhcNMDMwNDI0MjE0NDIxWhcNMTMwNDIxMjE0NDIxWjCBnDELMAkG
Subject (s): OU=server
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCnVzLWVuZ2xp Issuer (i): OU=server_root
c2gxFTATBgNVBAoTDFRlc3QgQ29tcGFueTEUMBIGA1UECxMLc2VydmVyIFVuaXQx
DzANBgNVBAMTBnNlcnZlcjElMCMGCSqGSIb3DQEJARYWc2VydmVyQHRlc3Rjb21w
YW55LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDMnvRz/qoLh/fA1FPZzlXJ
56tx2SKBy6Qkwv8NMOqnKR0Iws8WItzv/NCyD5rn66QiiSCIUIGwOWFL/tkpsMu/
AgMBAAEwDQYJKoZIhvcNAQEEBQADQQBEGSfKhbQ2o7bDrZjx5x5UVTd0GfWFVP2z
73UiCFyaPQElhm9pVFIFXGAALDJg20X7K2Vh1LvB/2rgzHsONCp8
-----END CERTIFICATE-----
Note the bolded entries: s = subject which is the equivalent to the Common Name (CN). The entry in italics and the bold “s” above it indicate that
this is the CA with its CN=server_root.
Seeing the SSL State
CLIENT Directionality SERVER
1. Client Hello
2. Server hello
3. Certificate
4. Certificate Request
5. Server Key Exchange
6. Server hello done
7. Certificate
8. Client Key Exchange
9. Certificate Verify
10. Change cipher spec
11. Finished
12. Change cipher spec
13. Finished
14. Encrypted Data 14. Encrypted Data