Menu

Thursday 19 July 2018

Openssl Commands for Wildcard & SAN certificates.

OpenSSL is a general purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

   Required Software
  • ·         Openssl  rpm/software (Unix/Windows)
  • ·         Keytool  rpm/software (Unix/Windows)

Step 1: Create a configuration file (san.cnf) , consists certificates  details.

#########################################################

[ req ]
default_bits = 4096
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = *.MB.com
O = Advanced Travel Partners
OU = I.T.
L = Lowestoft
ST = Suffolk
C = GB

[ req_ext ]
subjectAltName = DNS: *.MB.com, DNS: MBox.com

#########################################################

where,
          default_bits         : means private key size.
          prompt                : means i will not ask for any input from user.
          encrypt_key        : means  private key will be unencrypted format.
          default_md          : means signature Algorithm (sha256RSA).

          subjectAltName   : means SAN dns. 

Screenshot:





Step 2: Generate a CSR & Private key using above configuration (san.cnf) file.

Command:
openssl  req   -new  -config san.cnf   -nodes   -keyout  MB.key   -out  MB.csr


Where,
          -config : created (san.cnf) configuration file location.
          -nodes  :  for no password prompt
          -keyout : output file name.

Screenshot:





Step 3: Now these CSR is to be share for CA certs.

You will receive thesecertificates:
  • .       Server certificate.
  • .       Intermediate certificate. 
  • .       Root Certificate.

**I have received ca-bundle & server certificate.

Where,
ca-bundle           : Contains (Root + Intermediate).
Server certificate: Is also called as main certificate or personal certificate.


**If you were using on Apache server:
Location:  $APACHE_HOME\conf\extra
File Name: httpd-ssl.conf

Below Changes done :
SSLCertificateFile   "C:\Apache2.4.33_Final\conf\ MB_com.crt "
SSLCertificateKeyFile   "C:\Apache2.4.33_Final\conf\ MB.key "
SSLCertificateChainFile   "C:\Apache2.4.33_Final\conf\MB_com.ca-bundle "


  

Step 4: Import or export  All the certificates in  .p12 format.

Command:
NOTE: Please provide new PASSWORD for a p12 file for future uses.

openssl pkcs12  -export  -chain  -CAfile  MB_com.ca-bundle   -inkey  MB.key   -in MB_com.crt  -out  MB.p12   -name  Cert_MB.com

where,
         -chain & -CA file : Ca- bundle certificate location.
         -inkey                   : key file location
         -in                         : server certificate location.
         -out                       : output  file name.
         -name                    : alias for server certificates.

Screenshot:




Step 5: Convert .p12 to JKS (keystore) format.

Command:
NOTE: Only, Add the server certificate and private key from the .p12 file to  JKS keystore.
Use same password used for p12 file.

keytool   -importkeystore    -srckeystore  MB.p12   -srcstoretype pkcs12   -destkeystore MB.jks  -deststoretype jks

Where,
          Keytool                : java utility.
         -importkeystore    : import key store file.
         -Srckeystore         : source key store file.
         -Srcstoretype        : source file type .
         -destkeystore        : output file  name.
         -deststoretype       : output file type.  


Screenshot:





Step 6: Convert JKS  to  .p12  (keystore) format.

Command:
NOTE: Only, Add the server certificate and private key from the .p12 file to  JKS keystore.
Use same password used for p12 file.

keytool   -importkeystore    -srckeystore  MB.jks    -destkeystore   MB.p12     -deststoretype pkcs12

Where,
          Keytool                : java utility.
         -importkeystore    : import key store file.
         -Srckeystore         : source key store file.
         -Srcstoretype        : source file type .
         -destkeystore        : output file  name.
         -deststoretype       : output file type.  





Step 7: Import a root or intermediate CA certificate to an existing (JKS).

Command:
keytool  -import  -trustcacerts  -alias  root_inter   -file   MB_com.ca-bundle   -keystore   MB.jks

Where,
           -trustcacerts  : ca-bundle or intermediate file location.
           -alias             : name for certificate.


Screenshot:




Step 8: Export Private key (.pem) format from .p12  format file.

Command:
openssl  pkcs12   -nocerts   -nodes  -in   MB.p12    -out    MB.key

Where,
          -nocerts : means only private key will be exported from file.


Screenshot:




Step 9: Export Certificates (.pem) format  from .p12  format file.

Command:
openssl  pkcs12   -nokeys    -nodes  -in   MB.p12    -out MB.pem

Where,

          -nokeys: : means only certificates will be exported from file.


Screenshot:



Step 10: Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key


Commands:
  • openssl req -noout -modulus -in MB.csr | openssl md5
  •  openssl rsa -noout -modulus -in MB.key | openssl md5
  • openssl x509 -noout -modulus -in  MB_com.crt | openssl md5


Screenshot:





Reference link:-
https://www.sslshopper.com/article-most-common-openssl-commands.html
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Thanks :-)












No comments:

Post a Comment