- Openssl Show Public Key
- Openssl Certificate Request
- Openssl Create Public Key From Certificate
- Openssl Get Public Key From Certificate
In this article, I wanted to briefly talk about how to generate keys and certificates in OpenSSL using a configuration file. In how to configure encrypted connections in Bacula, I wrote about how to do this via the command line. After the article, I was doing some research on OpenSSL and came across the configuration file option. This option allows you to add specific details to a configuration file. When generating keys and certificate requests, you can use the configuration file instead of being prompted at the command line.
A quick recap of the manual way
First, lets look at how I did it originally. For the article, I had to generate a keys and certificates for a self-signed certificate authority, a server and a client. So, to set up the certificate authority, I first generated a set of keys.
X509v3 Extended Key Usage – The Extended Key Usage describes the intended use of the certificate public key, in addition to what is already described in the Key Usage. For example, end-entity TLS server certificates set both TLS Web Server Authentication and TLS Web Client Authentication, and must not be used for any other purpose. A pfx file is technically a container that contains the private key, public key of an SSL certificate, packed together with the signer CA's certificate all in one in a password protected single file. Here are the steps to extract these three in case they are needed, for instance importing them in an apache server, in a load balancer, etc. OpenSSL - CSR content. View the content of CA certificate. We can use our existing key to generate CA certificate, here ca.cert.pem is the CA certificate file: # openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem. To view the content of CA certificate we will use following syntax.
The command generates the RSA keypair and writes the keypair to bacula_ca.key. So far pretty straight forward. The next step is to generate an x509 certificate which I can then use to sign certificate requests from clients.
As you can see, OpenSSL prompts for some details that needs to be filled in.
Next step, generate the server keypair.
Again, here we need to fill out some of the same details for the certificate signing request. Not too much information needs to be entered, but it can be repetitive.
Final step is to sign the certificate, however, there is no input required for that, so I’m skipping the recap of that step.
One of the ways that we can speed this up, is by supplying the information as a part of the arguments to OpenSSL. Lets generate the Bacula Certificate Authority certificate, but this time, we’ll add the Distinguished Name properties as part of the arguments.
So, this time, we just add the information as part of the command line arguments and OpenSSL puts that information into the certificate.
To verify, we can check the certificate signing request.
So, as we can see, all the details are filled out for us by OpenSSL. If, for example, we did not want to add Organizational Unit Name, we could just omit OU from the list.
Again, we would have to do the same when we request the certificate for the Certificate Authority. Though we could copy, modify the parts that we want, and then past it back in. However, this is also a little bit cumbersome. We could take this one step further and add all the data into a configuration file.
Automated approach with configuration file
We can generate a configuration file to hold some of the information we supplied on the command line. That way, we don’t need to copy, change and paste the information directly on the command line, rather we can do it in the configuration file. I’ve generated a configuration file that contain the data we previously had on the command line.
The information in this configuration file captures just a subset of the available configurations and parameters, but it solves the current issue. If we step through it, the first part : [ req ] describes default properties used to generate keys and certificates.
defaults_bits = 2048; tells OpenSSL to use 2048 bits when generating the keypair.
default_md = sha256; tells OpenSSL to use sha256 as the signature algorithm/message digest.
prompt = no; tells OpenSSL not to prompt at the command line and use the data in the configuration file.
encrypt_key = no; is the same as providing -nodes on the command line. It tells OpenSSL not to encrypt the keypair.
distinguished_name = bacula_ca; tells OpenSSL which block, if you have multiple, to fill out the fields for the certificate.
The fields in bacula_ca and bacula_server is fairly self-explanatory, so I am not going into details on those.
If you would like to exclude a field, such as the organizationalUnitName, you can comment it out with the # character. OpenSSL will then omit the value from the certificate.
Openssl Show Public Key
Now, we can use this to generate the keys and certificates with OpenSSL using the configuration file.
Using the configuration file to auto-fill the necessary values
First, lets generate the certificate for the Certificate Authority using the configuration file.
That will generate the certificate using the configuration file and setting the expiration date of the certificate to one year out. As far as I know, there is currently no way to supply the number of days until the certificate expires in the configuration file.
Next, I can modify the configuration file to make the distinguished_name point to bacula_server and then run;
Openssl Certificate Request
That generates the keys for the bacula_server and the certificate signing request without prompting me for any values. Next steps is to have the Certificate Authority sign the certificate signing request, but there are no prompts required in that process, so I will skip that.
Openssl Create Public Key From Certificate
In this article, I briefly discussed how to generate keys in OpenSSL utilizing the configuration file option. Though you can generate keys and certificates using all of these approaches, using the configuration file option may save you some time. Personally, I also prefer the last approach as it is easier to remember the distinguished names that have been used.
Finally, you can create one configuration file for each domain. Thus, you could have a configuration file for the bacula_ca and one for bacula_server. Inside, you could add additional fields, such as default keyfile and certificate file. This will speed things up, however, if you need to change any information in the distinguished_name section, you now need to do this over multiple files. I would encourage you to go to the OpenSSL documentation page and see the other fields you can add to the configuration file.
N.B.: Modulus only applies on private keys and certificates using RSA cryptographic algorithm. If you generate an ECC (Elliptic Curve Cryptography) private key or if your certificate is signed with ECC you won't find a modulus.
N.B.2: For a detailed cryptographic verification,see Hanno Böck's script