Terry : Use OpenSSL to generate key pairs

Use OpenSSL To Generate Key Pairs

PEM and CER are supported by OpenSSL by default.

Generate Key Pairs

Use Case: Use openssl to generate a RSA key pair with a 4096 bit long private key encrypted by AES 256 bits

genrsa

SYNOPSIS

openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]

-des|-des3|-idea

These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.

numbits

the size of the private key to generate in bits. This must be the last option specified. The default is 512.

Example

generate 4096 bit long private key protected by password, encrypted by AES 256 bits

$ openssl genrsa -out key.pem -aes256 4096
Generating RSA private key, 4096 bit long modulus
.......................................................++
......................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:

No password protected

openssl genrsa -out key.pem 4096

NOTE: genrsa is superseded by genpkey

genpkey

SYNOPSIS

openssl genpkey [-out filename] [-outform PEM|DER] [-pass arg] [-cipher] [-engine id] [-paramfile file] [-algorithm alg] [-pkeyopt opt:value] [-genparam] [-text]

To do the same => generate a RSA key pair with a 4096 bit long private key encrypted by AES 256 bits

$ openssl genpkey -algorithm RSA -out key.pem -aes-256-cbc -pkeyopt rsa_keygen_bits:4096
....++
.....................................................................................................................................++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:  

More examples

Generate an RSA private key using default parameters

openssl genpkey -algorithm RSA -out key.pem

Encrypt output private key using 128 bit AES and the passphrase "hello"

openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello

Generate a 2048 bit RSA key using 3 as the public exponent

openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
                                                -pkeyopt rsa_keygen_pubexp:3

Remove pass-phrase

# Backup the key - RSA
cp server.key{,.bak}
# Remove pass-phrase
openssl rsa -in server.key.secure -out server.key

Print out the public key

Output the public key to standard output

$ openssl rsa -in key.pem -pubout
Enter pass phrase for key.pem:
writing RSA key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuZqaYQeJeQYh/gM0Vkyv
wI3/Ed7D6tMcTLYDGjJOgPLPodV7axc7vAGxxBm2tw9wX0ySZsXTcP/2R2OiUCBc
ASxjXyT57x+Vf6H4Hww0FWp5H2ObGBA0PwvAAvMIO+TALxeNKVvx6JZ3zf53QT+w
OYQWGesKBDyt13mn7MgXRmeIfHvs98xGI278lTIO0/KXtxj+5VhqQZxvVU+5vlXo
EreHobHrHs3MfVEbW3wxMs0V09wKpjiTSxLPoP3UDPnlwyaL93FYOkCnLo4UpD/U
xqpriF3tso0/bJLPnyUJR4B9Ox7Fga6mqfkhYC15g4QToFC0gfH25xoprYJSjH2H
kJ2cHeKcjZvOV7pZvWQDstQy6p4v0TuuZ7f3nT2S9VLIjHBuumaX0y+ZpTWil3E4
JYyn658ptiYFBVt2ahzAoFAMNBtQak7IKmjmO2t6YMM7Ov5l3c5YpsYaPNXuB/pk
OU0zqQLgKmc4TFiVDO/oOdQrpyCuBFYUcug0yNx3y1K93FgFMNogAN9lLezsTitd
edoKzKWbFSbD5lSpxMWE1ljrTJfshrrhtyc7Ak5UH/DcdsrjkXwJGppOlSk7Haj2
WHCUhcxLdCutDuaNEKW+G4O61i/tindHlWVHjBLWoMqmFzAXUy95sVNwX0HMtIDB
muuwpaPIysYVDXW0ZH3UVbMCAwEAAQ==
-----END PUBLIC KEY----- 

Extracting the public key from a RSA key pair

openssl rsa -in key.pem -out public.pem -outform PEM -pubout

For example

$ openssl rsa -in key.pem -out public.pem -outform PEM -pubout 
Enter pass phrase for key.pem:
writing RSA key

NOTE-outform is optional because PEM is the default format.

Alternative

openssl rsa -in key.pem -pubout > public.pem

SSL/TLS Certificate

Create a CSR - Certificate Signing Request
openssl req -new -key key.pem -out cert.csr

# HTTP over TLS for Apache
# server.key is the key pair generated
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr

Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use different format (CER).

Create A Self-signed Certificate

Self-sign the CSR

openssl req -new -x509 -key key.pem -out newcert.pem -days 3650

# Sign the CSR using own private key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.terry.im or subdomain.terry.im), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.

NOTE: You may consider removing the pass-phrase for the private key (key pair) in a test environment, otherwise you'll have to input the pass-phrase every time you start/restart the server.

Create Self-signed Certificate from a CSR (Certificate Signing Request)
openssl req -new -x509 -in cert.csr -key key.pem -out newcert.pem -days 3650

When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.terry.im or subdomain.terry.im), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.

Get Certificate Hash
openssl x509 -noout -hash -in newcert.pem
Convert certificate From/To PKCS #12 Format
openssl pkcs12 -export -in newcert.pem -inkey key.pem -out newcert.p12

PCSK 12 to PEM

openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts
View Certificate in Human Readable Format

PEM format

openssl x509 -text -noout -in newcert.pem

PKCS 12 format

openssl pkcs12 -info -nodes -in newcert.p12
Encrypt / Decrypt Private Key

Encrypted private key will prompt for password when being used

Encrypt

openssl rsa -aes256 -in unencrypted_key.pem -out encrypted_key.pem

Decrypt

openssl rsa -aes256 -in encrypted_key.pem -out unencrypted_key.pem
View Certificate Signer
openssl x509 -in newcert.pem -noout -issuer -issuer_hash
Verify a Certificate matches a private key
openssl x509 -in newcert.pem -noout -modulus > cert.txt
openssl rsa -in key.pem -noout -modulus > key.txt
colordiff -c cert.txt key.txt
rm cert.txt key.txt
Revoke Certificate
openssl -revoke newcert.pem

HTTP over TLS for Apache HTTP Server (HTTPS)

Self signed certificate - HOWTO (Apache)

/etc/apache2/conf.d/security (mod_ssl required) snippiet

SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

Reference

http://www.openssl.org/docs/apps/genrsa.html

http://www.openssl.org/docs/apps/genpkey.html

http://forums.freebsd.org/showthread.php?t=6490

http://www.perturb.org/display/entry/754/

http://www.openssl.org/docs/apps/rsa.htm

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html