Handling Certificates and Keys

Setup a directory for the root certificate authority:

mkdir rootca
cd rootca
mkdir certs crl newcerts private conf
chmod 700 private
touch index.txt
echo 1000 > serial
cd ../

Create a certificate with OpenSSL, first create a keypair. This will make an EC keypair:

openssl ecparam -list_curves
openssl ecparam -out rootca/private/ca.key -name sect571r1 -genkey

Or for RSA:

openssl genrsa -passout pass:hello -aes256 \
-out rootca/private/ca_enc.key 4096
openssl rsa -passin pass:hello -in rootca/private/ca_enc.key \
-outform PEM -out rootca/ca.key

The password is not necessary, for a plain pem file:

openssl genrsa -out rootca/private/ca.key 4096

To make a ca the openssl.conf file or openssl.cnf is required. These are a little confusing but there is lots of information about them. For the purposes of this tutorial I will supply two such files:

• openssl_rootca.conf
• openssl_intca.conf

Create a root certificate with the above keypair:

openssl req -config conf/openssl_rootca.conf -key rootca/private/ca.key \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-subj '/C=UK/ST=Lancashire/L=Lancaster/O=Example/CN=Example Root CA' \
-out rootca/ca.cert

Create a certificate signing request (to make a key pair use the earlier commands):

openssl req -config conf/openssl_rootca.conf -new -sha256 \
-subj '/C=UK/ST=Lancashire/L=Lancaster/O=Example/CN=Example Cert' \
-key example.key -out example.csr

Now use the rootca key to sign the certificate:

openssl ca -batch -config conf/openssl_rootca.conf \
-extensions usr_cert -days 3650 -notext -md sha256 \
-in example.csr -out rootca/certs/example.cert

The policy in the conf/openssl_rootca.conf is intended to sign only intermediate certificates, please see the section [ policy_strict ] and the policy indication directive: policy = policy_strict. This can be changed to allow a more relaxed signing of certificates, if not using an intermediate CA policy = polcy_loose is fine.

Extracting Keys

It can be useful to extract keys from certificate files, both private and public, for use in your own programmes.

Creating a pubkey.pem file

openssl x509 -pubkey -noout < cert.pem > pubkey.pem

Getting the modulus from an RSA public key

openssl rsa -pubin -inform PEM -text -noout < public.key

From a private key

openssl rsa -in privkey.pem -noout -modulus

References

• Convert keys between GnuPG, OpenSSH and OpenSSL
• Get exponent and modulus given a public key
• Convert raw exponent to rsa public key pem format