Tuesday Nov 11, 2008

Public/Private keys and X.509 certificate

Browsing here and there I gathered the following steps to create a set of public/private keys to digitally sign messages (or assertions) along with the corresponding X.509 certificate (for the public key). The following steps assume OS X but most of it, being based on openssl, is pretty UNIX generic. Hopefully it can save someone else from searching for such info...

  1. Creating key pair
    keytool -genkey -alias SL -keyalg RSA -validity 365 -keystore keys/my.keystore
  2. Displaying the result
    (cd keys)
    keytool -list -keystore my.keystore
    keytool -list -v -keystore my.keystore
  3. Creating a CSR
    (cd ..)
    keytool -certreq -keystore keys/my.keystore -alias sl -file SL_certification_signing_Request.pem
    openssl req -noout -text -in SL_certification_signing_Request.pem
  4. Resetting counter to 0
    (mkdir demoCA)
    echo 00 > demoCA/serial
  5. Creating a CA
    /System/Library/OpenSSL/misc/CA.pl -newca
    [You'll need to remember that PEM pass phrase]
  6. Signing the certificate request
    openssl ca -in SL_certification_signing_Request.pem -out signed_cert_request.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem
  7. Verifying that the client cert was indeed signed by the CA
    openssl verify -CAfile demoCA/cacert.pem signed_cert_request.pem

Additionaly, you may have to convert the certificate to something that's easier to deal with programmatically.
I have successfully used the following commands to do so:

  1. Converting signed certificate into file certificate with only data between "----CERTIFICATE---"
    openssl x509 -in signed_cert_request.pem -out signed2_cert_request.pem
  2. Converting certificate into a PKCS#7 file
    openssl crl2pkcs7 -nocrl -certfile signed2_cert_request.pem -certfile demoCA/cacert.pem -outform DER -out certificate.p7c


About

hubertsblog

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today