[OpenSSL] An Intro to OpenSSL

I first came across OpenSSL when I first started work at Motorola in Perth, Western Australia. In their own words, the OpenSSL project:

Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Once installed, we can use OpenSSL to generate a chain of X.509 certificates. To this, a self-signed certificate must first be generated. This will become the root certificate.

  1. First, create a private key.
    openssl genrsa > [root key file]
  2. Generate the self signed certificate.
    openssl req -x509 -key [key file] -new -out [cert file]

Now that we have the first certificate in the chain, we can generate the other certificates in the chain.

  1. Create a key for the certificate.
    openssl genrsa > [root key file]
  2. Generate a certificate signing request (CSR) for the certificate.
    openssl req -new -key [key file] -out [request file]
  3. Sign the CSR with the root certificate.
    openssl x509 -CAkey [root key file] \
    -CA [root certificate file] \ 
    -CAcreateserial -req \ 
    -in [certificate signing request] \ 
    -out [output certificate]

Following the these steps will give you a chain of two certificates. You generate a longer chain by generating keys and certificate signing requests for each of the certificates and then signing them, as just above. The only difference is that, in the final step, you have to substitute the root key file and root certificate file with the certificate’s issuer key and certificate file.

Once the certificates are generated, you can have a look back at the contents of the certificates, by using the following commands:
openssl x509 -text -noout -in [certificate file]

There is a whole bunch of other things that we can do with OpenSSL, but I’ll leave that for another time!

Advertisements

2 Responses to [OpenSSL] An Intro to OpenSSL

  1. Shanmei says:

    Hi Kah,

    think it’s great what you have here. 🙂 I remember working with you on the validating X509 certificate script. Couldn’t have done it without your expertise. 🙂

    thanks for blogging about OpenSSL. I look forward to reading more about it.

  2. kahgoh says:

    Its great to hear from you again Shanmei!!! Admittedly, I partly started this blog to help me keep that OpenSSL knowledge, so I certainly will be writing some more about it in the future. I’ve just finished testing some code, so the next entry should be up within the next couple of days!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: