4 For all files the password is "secret".
8 cakey.pem Root CA private key
9 cacert.pem Root CA for cakey.pem
10 ca2key.pem RSA private key
11 ca2cert.pem Second-level RSA cert for ca2key.pem
12 dsakey.pem DSA private key
13 dsacert.pem Third level DSA cert for dsakey.pem
14 rsakey.pem RSA private key
15 rsacert.pem Third level RSA cert for rsacert.pem
16 hmackey.bin HMAC key ('secret')
17 expired.key key for expired cert
18 expired.crt expired certificate
19 rsa2key.pem RSA private key
20 rsa2cert.pem Self signed RSA certificate with negative serial number
22 2. How certificates were generated:
25 - Change DAYS and CADAYS in CA.pl to 3650 (10 years)
26 > export SSLEAY_CONFIG="-config ./openssl.cnf"
28 > cp ./demoCA/cacert.pem .
29 > cp ./demoCA/private/cakey.pem .
30 > openssl x509 -text -in cacert.pem
32 B. Generate RSA key and second level CA
33 > openssl genrsa -out ca2key.pem
34 > openssl req -config ./openssl.cnf -new -key ca2key.pem -out ca2req.pem
35 > openssl ca -config ./openssl.cnf -cert cacert.pem -keyfile cakey.pem \
36 -out ca2cert.pem -infiles ca2req.pem
37 > openssl verify -CAfile cacert.pem ca2cert.pem
39 C. Generate and sign DSA key with second level CA
40 > openssl dsaparam -out dsakey.pem -genkey 512
41 > openssl req -config ./openssl.cnf -new -key dsakey.pem -out dsareq.pem
42 > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
43 -out dsacert.pem -infiles dsareq.pem
44 > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem dsacert.pem
46 D. Generate and sign RSA key with second level CA
47 > openssl genrsa -out rsakey.pem
48 > openssl req -config ./openssl.cnf -new -key rsakey.pem -out rsareq.pem
49 > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
50 -out rsacert.pem -infiles rsareq.pem
51 > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem rsacert.pem
53 E. Generate and sign large RSA key with second level CA
54 > openssl genrsa -out largersakey.pem 4096
55 > openssl req -config ./openssl.cnf -new -key largersakey.pem -out largersareq.pem
56 > openssl ca -config ./openssl.cnf -cert ca2cert.pem -keyfile ca2key.pem \
57 -out largersacert.pem -infiles largersareq.pem
58 > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem largersacert.pem
60 F. Generate and sign short-live RSA cert for "expired cert" test
61 > openssl genrsa -out expiredkey.pem
62 > openssl req -config ./openssl.cnf -new -days 1 -key expiredkey.pem \
64 > openssl ca -config ./openssl.cnf -days 1 -cert ca2cert.pem \
65 -keyfile ca2key.pem -out expiredcert.pem -infiles expiredreq.pem
66 > openssl verify -CAfile cacert.pem -untrusted ca2cert.pem expiredcert.pem
68 3. Converting key and certs between PEM and DER formats
70 - Convert PEM private key file to DER file
72 > openssl rsa -inform PEM -outform DER -in rsakey.pem -out rsakey.der
73 > openssl rsa -inform PEM -outform DER -in largersakey.pem -out largersakey.der
74 > openssl rsa -inform PEM -outform DER -in expiredkey.pem -out expiredkey.der
76 > openssl dsa -inform PEM -outform DER -in dsakey.pem -out dsakey.der
78 - Convert PEM cert file to DER file
79 > openssl x509 -outform DER -in cacert.pem -out cacert.der
80 > openssl x509 -outform DER -in ca2cert.pem -out ca2cert.der
81 > openssl x509 -outform DER -in dsacert.pem -out dsacert.der
82 > openssl x509 -outform DER -in rsacert.pem -out rsacert.der
83 > openssl x509 -outform DER -in largersacert.pem -out largersacert.der
84 > openssl x509 -outform DER -in expiredcert.pem -out expiredcert.der
86 - (optional) Convert PEM public key file to DER file
88 > openssl rsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
90 > openssl dsa -inform PEM -outform DER -pubin -pubout -in lugh.key -out lugh.der
92 If you aren't sure if the public key is RSA or DSA, just run one of
93 the above commands, and the error messaging will make it clear :)
95 - (optional) Convert DER cert file to PEM file
96 > openssl x509 -inform DER -outform PEM -in ca2cert.der -out ca2cert.pem
98 4. Converting an unencrypted PEM or DER file containing a private key
99 to an encrypted PEM or DER file containing the same private key but
101 > openssl pkcs8 -in dsakey.pem -inform pem -out dsakey.p8-pem -outform pem -topk8
102 > openssl pkcs8 -in dsakey.der -inform der -out dsakey.p8-der -outform der -topk8
103 > openssl pkcs8 -in rsakey.pem -inform pem -out rsakey.p8-pem -outform pem -topk8
104 > openssl pkcs8 -in rsakey.der -inform der -out rsakey.p8-der -outform der -topk8
105 > openssl pkcs8 -in largersakey.pem -inform pem -out largersakey.p8-pem \
107 > openssl pkcs8 -in largersakey.der -inform der -out largersakey.p8-der \
110 5. NSS is unfriendly towards standalone private keys.
111 This procedure helps convert raw private keys into PKCS12 form that is
112 suitable for not only NSS but all crypto engines.
114 > cat dsakey.pem dsacert.pem ca2cert.pem cacert.pem > alldsa.pem
115 > openssl pkcs12 -export -in alldsa.pem -name TestDsaKey -out dsakey.p12
117 > cat rsakey.pem rsacert.pem ca2cert.pem cacert.pem > allrsa.pem
118 > openssl pkcs12 -export -in allrsa.pem -name TestRsaKey -out rsakey.p12
120 > cat largersakey.pem largersacert.pem ca2cert.pem cacert.pem > alllargersa.pem
121 > openssl pkcs12 -export -in alllargersa.pem -name TestLargeRsaKey -out largersakey.p12
123 > cat expiredkey.pem expiredcert.pem ca2cert.pem cacert.pem > allexpired.pem
124 > openssl pkcs12 -export -in allexpired.pem -name TestExpiredRsaKey \
129 Input: DSA/RSA private key in PEM or DER format
130 Output: A PKCS12 file containing the private key, and a self-signed
131 certificate with the corresponding public key
133 # first convert key file to PEM format, if not already in that format
134 > openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
136 # answer questions at the prompt
137 # Note: use a unique subject (=issuer) for each self-signed cert you
138 # create (since there is no way to specify serial # using the command
140 > openssl req -new -keyform <der|pem> -key key.<der|pem> -x509 -sha1 -days 999999 -outform pem -out cert.pem
142 # now using the cert and key in PEM format, conver them to a PKCS12 file
143 # enter some password on prompt
144 > openssl pkcs12 -export -in cert.pem -inkey key.pem -name <nickname> -out keycert.p12
146 # This pkcs12 file can be used directly on the xmlsec command line, or
147 # can be pre-loaded into the crypto engine database (if any).
149 # In the case of NSS, you can pre-load the key using pk12util.
150 # The key and cert will have the nickname "nickname" (used in above step)
151 > pk12util -d <nss_config_dir> -i keycert.p12
154 Input: DSA/RSA private key in PEM or DER format
155 KeyCert containing corresponding public key
156 Other certs in the chain leading from KeyCert to the root
157 Output: A PKCS12 file containing the private key, the KeyCert and the
160 # first convert key file to PEM format, if not already in that format
161 > openssl <dsa|rsa> -inform der -outform pem -in key.der -out key.pem
163 # convert all cert files to PEM format, if not already in that format
164 > openssl x509 -inform der -outform pem -in cert.der -out cert.pem
166 # concatenate all cert.pem files created above to 1 file - allcerts.pem
167 > cat keycert.pem cert1.pem cert2.pem .... > allcerts.pem
169 # now using the certs and key in PEM format, conver them to a PKCS12 file
170 # enter some password on prompt
171 > openssl pkcs12 -export -in allcerts.pem -inkey key.pem \
172 -name <nickname of key & keycert>
173 [-caname <nickname of cert1> -caname <nickname of cert2>.... ]
176 # This pkcs12 file can be used directly on the xmlsec command line, or
177 # can be pre-loaded into the crypto engine database (if any).
179 # In the case of NSS, you can pre-load the key using pk12util.
180 # The key and certs will have the nickname "nickname"
181 # (used in above step)
182 > pk12util -d <nss_config_dir> -i keycert.p12