OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Required Software
Screenshot:
Step 7: Import a root or intermediate CA certificate to an existing (JKS).
Command:
keytool -import -trustcacerts -alias root_inter -file MB_com.ca-bundle -keystore MB.jks
Where,
-trustcacerts : ca-bundle or intermediate file location.
-alias : name for certificate.
Screenshot:
Where,
-nocerts : means only private key will be exported from file.
-nokeys: : means only certificates will be exported from file.
Screenshot:
Step 10: Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
Reference link:-
https://www.sslshopper.com/article-most-common-openssl-commands.html
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Thanks :-)
Required Software
- · Openssl rpm/software (Unix/Windows)
- · Keytool rpm/software (Unix/Windows)
Step 1: Create a configuration
file (san.cnf) , consists certificates details.
#########################################################
[ req ]
default_bits =
4096
prompt = no
encrypt_key = no
default_md =
sha256
distinguished_name
= dn
req_extensions =
req_ext
[ dn ]
CN = *.MB.com
O = Advanced Travel Partners
OU = I.T.
L = Lowestoft
ST = Suffolk
C = GB
[ req_ext ]
subjectAltName =
DNS: *.MB.com, DNS: MBox.com
#########################################################
where,
default_bits
: means private key size.
prompt
: means i will not ask for any input from user.
encrypt_key :
means private key will be unencrypted format.
default_md :
means signature Algorithm (sha256RSA).
subjectAltName : means SAN dns.
Screenshot:
Step 2: Generate a CSR & Private key
using above configuration (san.cnf) file.
Command:
openssl req -new -config san.cnf -nodes -keyout MB.key -out MB.csr
Where,
-config : created (san.cnf) configuration file location.
-nodes : for no password prompt
-keyout : output file name.
Screenshot:
Step 3: Now these CSR is to be share for CA
certs.
You will receive
thesecertificates:
- . Server certificate.
- . Intermediate certificate.
- . Root Certificate.
**I have received ca-bundle
& server certificate.
Where,
ca-bundle : Contains
(Root + Intermediate).
Server certificate: Is also called as main certificate or personal certificate.
**If you were using on Apache server:
Location:
$APACHE_HOME\conf\extra
File Name: httpd-ssl.conf
Below Changes done :
SSLCertificateFile "C:\Apache2.4.33_Final\conf\ MB_com.crt
"
SSLCertificateKeyFile "C:\Apache2.4.33_Final\conf\ MB.key "
SSLCertificateChainFile "C:\Apache2.4.33_Final\conf\MB_com.ca-bundle "
Step 4: Import or export All the certificates in .p12 format.
Command:
NOTE: Please provide
new PASSWORD for a p12 file for future uses.
openssl pkcs12 -export
-chain -CAfile MB_com.ca-bundle -inkey MB.key
-in MB_com.crt -out MB.p12 -name Cert_MB.com
where,
-chain & -CA file :
Ca- bundle certificate location.
-inkey : key file location
-in : server certificate location.
-out : output file
name.
-name : alias for server certificates.
Screenshot:
Step 5: Convert .p12 to
JKS (keystore) format.
Command:
NOTE: Only, Add the server certificate and private key from the .p12 file to JKS keystore.
Use same password used for p12 file.
Use same password used for p12 file.
keytool
-importkeystore -srckeystore MB.p12 -srcstoretype
pkcs12 -destkeystore MB.jks -deststoretype jks
Where,
Keytool : java utility.
-importkeystore : import key store file.
-Srckeystore :
source key store file.
-Srcstoretype :
source file type .
-destkeystore : output file name.
-deststoretype : output file type.
Screenshot:
Step 6: Convert JKS to .p12 (keystore) format.
Command:
NOTE: Only, Add the server certificate and private key from the .p12 file to JKS keystore.
Use same password used for p12 file.
Use same password used for p12 file.
keytool -importkeystore -srckeystore MB.jks -destkeystore MB.p12 -deststoretype pkcs12
Where,
Keytool : java utility.
-importkeystore : import key store file.
-Srckeystore : source key store file.
-Srcstoretype : source file type .
-destkeystore : output file name.
-deststoretype : output file type.
Step 7: Import a root or intermediate CA certificate to an existing (JKS).
Command:
keytool -import -trustcacerts -alias root_inter -file MB_com.ca-bundle -keystore MB.jks
Where,
-trustcacerts : ca-bundle or intermediate file location.
-alias : name for certificate.
Screenshot:
Step 8: Export Private key (.pem) format from .p12 format file.
Command:
openssl pkcs12 -nocerts -nodes -in MB.p12 -out MB.key
Command:
openssl pkcs12 -nocerts -nodes -in MB.p12 -out MB.key
Where,
-nocerts : means only private key will be exported from file.
Screenshot:
Step 9: Export Certificates (.pem) format from .p12 format file.
Command:
openssl pkcs12 -nokeys -nodes -in MB.p12 -out MB.pem
Step 9: Export Certificates (.pem) format from .p12 format file.
Command:
openssl pkcs12 -nokeys -nodes -in MB.p12 -out MB.pem
-nokeys: : means only certificates will be exported from file.
Step 10: Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key
Commands:
- openssl req -noout -modulus -in MB.csr | openssl md5
- openssl rsa -noout -modulus -in MB.key | openssl md5
- openssl x509 -noout -modulus -in MB_com.crt | openssl md5
Screenshot:
No comments:
Post a Comment