Quick Reference

Home
Alpine Linux Boot Process
libinput on Alpine Linux
who on Alpine
ALSA Config
Android Hacking
Android Load apkx File
Audio Stream Fu
Audio Recording (simple)
AWK
BASH quick ref
Benchmark with fio
BlackBerry as a Modem
BlackBerry Video Encoding
Building libcurl on Windows with VS
Building QEMU Images for Alpine Linux
for use with libvirt and terraform
Building TI MSP430 GCC
Certificate and Key Handling
Chart Drawing
Currency Converter
Custom Bootable Alpine Linux
Custom Alpine Kernel
Colourspace Conversion
Compile FMS from Source
Courier IMAP Server
Datasheets and Manuals
Deduplication of Files
Deleting Old Devices
Delphi 7 Dynamic Linking
Delphi Compiler Warnings
Desktop Capture with FFMPEG
X11
Desktop Capture in Sway
Dovecot IMAP
Dovecot Replication
Docker HowTo (Simple Setup)
Remove Untagged Docker Images
Docker Xvfb Alpine Howto
Docker Storage
DomainKey Identified Mail with Exim
DRBD Over OpenVPN
Eclipse and Jetty
Eclipse Themes
Edge Detection
Electronics
Emailing
ESP8266 Get Started
ESP8266 OpenSDK
Exchange 2010 and Lighttpd
Exim Process and Forward Incoming Mail
Exim with Dovecot
FFmpeg Webcam and v4l2 stuff
flickr image from file name
Force Video Output
KMS/FB and Weston
Fonts
Freenet Routing Fu
Flushing Filesystem Buffers
GDB in Windows
Gentoo eudev and udev
Gentoo omxplayer
Gentoo on Raspberry Pi
Gentoo initramfs
Gentoo Java Problems
Gentoo Stage4
Gentoo Update (portage)
Gentoo VirtualBox Install
git Quick Reference
git Workflow
GNUplot Curve Fitting
GNUplot Heart
GNUplotting
Quick Reference
GnuPG Simple
Hen*Plus
ImageMagick
Quick Reference
InspIRCd on Gentoo
Install Gentoo with Hyper-V
iproute2
iptables
iptables bwmon
IPv6 in IPv6 Tunnels STUB
IPv6 Setups STUB
ircclient
irssi
Java Anti-aliasing
Jetty JSP 9.2/9.3 Error
Jetty JSP 9.4 Error
LDAP Searching
and binding on Linux
Logging in Java
LVM Mount on Gentoo
LVM Howto Rev 2
Video File Montage Creation
MPlayer play section of file
Install macOS X on Mac Pro
Maven for Java Development
MPlayer v4l Snapshots
mpv Quick Reference
MSP430 I2C
msys2 Home Modification
mtu Sizes
Multi Homed Hosts and ARP
Multiple RDP Sessions
nginx and cgit
Oneliners
Oukitel C8 Hacking
GNU Parted Simple tutorial
PinePhone Modem
PinePhone Sleeping
Piping for msmtp

PixivUtil2 Install
powersave.sh
qemu PCI Passthrough
qemu USB Passthrough
Quick VMs with QEMU
Reset Password in Windows
Routing Traffic in Windows
rpcontinued.xpi for Pale Moon
Screen Sharing with Sway
sed and grep
sfdisk howto
Shell and File Descriptors
Spring Security Upgrade from 3 to 4
Strong Host Model for Linux
SQLite3 Compile DLL with VS2010
SSL and Lighttpd
std::string to std::wstring and back
Sway IPC with swaymsg
Terminal Codes and socat
Traffic Control (tc)
In-depth with background and quirky routing and networking configuration
Traffic Control Again
Simpler method using ifb
UEFI Booting from Shell
Update Own Number with AT Commands
Videos, Interesting
VirtualBox to QEMU
Quick start guide
Visual Studio Reminders
whatsmeow on Alpine in Docker
Word and VBA Header Protection
wpa_cli
X11 TrackMan Marble
X11 Programming

Handling Certificates

Handling Certificates and Keys

Setup a directory for the root certificate authority:

mkdir rootca
cd rootca
mkdir certs crl newcerts private conf
chmod 700 private
touch index.txt
echo 1000 > serial
cd ../

Create a certificate with OpenSSL, first create a keypair. This will make an EC keypair:

openssl ecparam -list_curves
openssl ecparam -out rootca/private/ca.key -name sect571r1 -genkey

Or for RSA:

openssl genrsa -passout pass:hello -aes256 \
-out rootca/private/ca_enc.key 4096
openssl rsa -passin pass:hello -in rootca/private/ca_enc.key \
-outform PEM -out rootca/ca.key

The password is not necessary, for a plain pem file:

openssl genrsa -out rootca/private/ca.key 4096

To make a ca the openssl.conf file or openssl.cnf is required. These are a little confusing but there is lots of information about them. For the purposes of this tutorial I will supply two such files:

Create a root certificate with the above keypair:

openssl req -config conf/openssl_rootca.conf -key rootca/private/ca.key \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-subj '/C=UK/ST=Lancashire/L=Lancaster/O=Example/CN=Example Root CA' \
-out rootca/ca.cert

Create a certificate signing request (to make a key pair use the earlier commands):

openssl req -config conf/openssl_rootca.conf -new -sha256 \
-subj '/C=UK/ST=Lancashire/L=Lancaster/O=Example/CN=Example Cert' \
-key example.key -out example.csr

Now use the rootca key to sign the certificate:

openssl ca -batch -config conf/openssl_rootca.conf \
-extensions usr_cert -days 3650 -notext -md sha256 \
-in example.csr -out rootca/certs/example.cert

The policy in the conf/openssl_rootca.conf is intended to sign only intermediate certificates, please see the section [ policy_strict ] and the policy indication directive: policy = policy_strict. This can be changed to allow a more relaxed signing of certificates, if not using an intermediate CA policy = polcy_loose is fine.

Extracting Keys

It can be useful to extract keys from certificate files, both private and public, for use in your own programmes.

Creating a `pubkey.pem` file

openssl x509 -pubkey -noout < cert.pem > pubkey.pem

Getting the modulus from an RSA public key

openssl rsa -pubin -inform PEM -text -noout < public.key

From a private key

openssl rsa -in privkey.pem -noout -modulus

References

Quick Links: Techie Stuff | General | Personal | Quick Reference