Certificate generation using openssl

The following openssl cammands may be used to generate keys and certificates. Such keys may be used as TLS server key for SecPKI or as TLS client keys for SecPKIApi.

openssl configuration

The installation directory's subdirectory bin contains the configuration file openssl.cfg. The following options have to be adjusted in this file:

in section [ CA_default ]

policy = policy_anything

Certificates may be issued for arbitraty names.

in section [ usr_cert ]

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Do not uncomment this line, since this KeyUsage should be used.

in section [ v3_ca ]

keyUsage = cRLSign, keyCertSign

Do not uncomment this line, since this KeyUsage should be used.

Create CA

Firstly, a new CA must be created. Subsequently, this CA will issue TLS certificates.

All file names a merely examples.

openssl req -new -x509 -sha256 -keyout secpkiCA2009PrivKey.pem -out secpkiCA2009Cert.pem -days 3000 -newkey rsa:2048

An error message may be caused by a missing (or empty) file index.txt in your CA directory, or by a missing file serial. The serial file needs to contain a single line representing a number. The CA directory path can be found in openssl.cnf, or in the error message.

openssl creates PEM encoded certificates, while SecPKI expects DER encoding. Conversion:

openssl x509 -inform PEM -in secpkiCA2009Cert.pem -outform DER -out secpkiCA2009Cert.der

Create TLS certificates

Generate request and keys:

openssl req -new -sha256 -keyout secpki2009PrivKey.pem -out secpki2009Req.pem -days 1500 -newkey rsa:2048

CA issues a certificate

openssl ca -verbose -days 1500 -out secpki2009Cert.pem -outdir . -keyfile secpkiCA2009PrivKey.pem -cert secpkiCA2009Cert.pem -infiles secpki2009Req.pem

Convert key into PKCS#8:

openssl pkcs8 -in secpki2009PrivKey.pem -inform PEM -topk8 -out secpki2009PrivKey.pkcs8 -outform DER

Convert certificate from PEM to DER encoding

openssl x509 -inform PEM -in secpki2009Cert.pem -outform DER -out secpki2009Cert.der

Optional: Pack key and certificate into PKCS#12 file

openssl pkcs12 -inkey secpki2009PrivKey.pem -in secpki2009Cert.pem -export -out secpkiClient.p12 -name "TLS Client Cert Test for SecPKI"

Create certificate revocation list

A certificate revocation list (CRL) may be created based on index.txt in your CA directory:

openssl ca -gencrl -out SecPKICA_PEM.crl -keyfile secPKICrlSign2009PrivKey.pem -cert secPKICrlSign2009Cert.pem -crldays 300

Convert CRL from PEM to DER encoding

openssl crl -inform PEM -in SecPKICA_PEM.crl -outform DER -out SecPKICA.crl

The certificate revocation list may now be saved on a web server and its URL may be added in openssl.cnf. Subsequently, openssl includes the URL into newly generated TLS certificates.

Start and tes TLS server

Independently of SecPKIServer, openssl may be used to start a simple web server. This web server can be used to test a newly created TLS server certificate:

openssl s_server -accept 4433 -cert secpkiCert.der -certform DER -key secpkiPrivKey.pem -pass pass:pkiTiG9+dSv

SecSigner,digital signature,electronic signature,ebilling,secure authentication,mobile authentication,2 factor authentication,two factor authentication,public key infrastructure,PKI,SecPKI