SSL HOWTO: using openssl to get keys into PKCS#12 format.
June 23rd, 2008 by Ari
Some of our customers are pretty serious about data security. To that end, our products need to support and integrate with SSL for both data security and authentication. SSL is very neat technology, but there is a dizzying maze of standards to navigate to figure how to get it all to work.
It turns out that in this age of Google, the fastest way to figure out how to do something is often to Google for key terms and hope that someone has put the relevant details in a blog post somewhere. In trying to figure out how to set up keys on a SunOne Directory Server for testing our LDAP integration, I needed to figure out how to get keys into PKCS#12 format after generating them with OpenSSL.
I’ll spare you the gory details of what it took to figure out how to do this; suffice to say there was some trial and error mixed with a bunch of RTFM. After the jump, the full howto.
Introduction to PKCS#12
PKCS#12 is used by a number of different vendors as their standard key-exchange format for key management, most notably IE and the SunOne/Netscape products. OpenSSL, while remaining the Swiss Army-Knife of crypto tools, doesn’t use PKCS#12 as a native format. However it knows how to convert to it.
The overall strategy here is to convert to PKCS#12 as a last step; we do normal key generation and signing using OpenSSL and then convert the results into PKCS#12 format.
To get a key-pair generated and signed by a certificate authority and then ready for import into one of these tools follow these steps (user input has been bolded):
Generate the key
# openssl genrsa -out example-key.pem 2048 Generating RSA private key, 2048 bit long modulus ..................................+++ ...........................................................................................+++ e is 65537 (0x10001)
Your RSA, 2048-bit public/private key pair now reside in the file named example-key.pem.
Generate the Certificate Signing Request (CSR)
Next we generate the CSR normally.
# openssl req -new -key example-key.pem -out example.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:Palo Alto Organization Name (eg, company) [My Company Ltd]:Palantir Technologies Organizational Unit Name (eg, section) []:Palantir TechBlog Examples Common Name (eg, your name or your server's hostname) []:example.palantirtech.com Email Address []:example@palantirtech.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
A certificate signing request for the public key in example-key.pem is now in example.csr and will look something like this if you look at the contents:
—–BEGIN CERTIFICATE REQUEST—–
MIIC/zCCAecCAQAwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRIwEAYDVQQHEwlQYWxvIEFsdG8xHjAcBgNVBAoTFVBhbGFudGlyIFRlY2hub2xv
Z2llczEfMB0GA1UECxMWUEcgQmFja2VuZCBFbmdpbmVlcmluZzEaMBgGA1UEAxMR
ZmxpbnQueW9qb2UubG9jYWwxJDAiBgkqhkiG9w0BCQEWFXJlZ3NAcGFsYW50aXJ0
ZWNoLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWmxedFCqsx
ypNNYTUbcwVxtTUFMS6pP0y78GAabFvDQHW48IQXgyMrqlLl4//dI7EO/K6+ZdEJ
Go6fuXW5jd/1RuxQRkCsfdVUrrhghVOywpSeWCzwraFniPQOqstQHuWdfygFkpVZ
xsY3pu9cVvs827wvjHZXPpmLRZu5xDom+r8aAdjrQdkCCqbzdNFcxnxdHM03LMCz
BJcAUSMjhvynBRNgzB01bOJOk+72lAuaEhjF0TMvnRMo16mhd/dnaHkqqW+N8q9m
yTH1cTrNrdgJKkJ44K1sSJhFVMgkC2R4GK6RmprwIDVD8YkYLG+Iahw18xQKbCn1
8NomTXbZBAUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBGR/1jScSVekhy/aR2
xePJcO4jzmMVW4NfxOknxLkDvuDhbP7wGWPtspLXNf45mc3AXtkNgQTwO0siZHyy
HaSLo4BuB4A62ofZfTVn6KYVzxuwskkLRdhlHA6mpM01hMBhmzbIZDyAZqyWQAJ5
rC0Xl+ai/AAdLXO664qR3f2awXCUhJ/vYg7Qw4FHCLeoKcWxJfq9X9Ho5UJaFYTW
6QVFKeODF4Y2vMnBx63RcgOIuJXI38ZK4+k1ONKuB75IhbIu3DtMTIv3kYYtfd6G
P5BXlmgQgxVnFJcDprjEjHEUY4B+0vaWbDqy7U6fucT7EJ+qrSfk0Hf89aaQPKFf
DUwz
—–END CERTIFICATE REQUEST—–
This CSR is sent of to your CA of choice and you get back a certificate, essentially a signature for your public key by the CA.
The contents of the file, PEM-encoded, will look something like this:
—–BEGIN CERTIFICATE—–
MIIDdDCCAlwCAxAAIDANBgkqhkiG9w0BAQQFADB/MR4wHAYDVQQKExVQYWxhbnRp
ciBUZWNobm9sb2dpZXMxEjAQBgNVBAcTCVBhbG8gQWx0bzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTELMAkGA1UEBhMCVVMxJzAlBgNVBAMTHlBhbGFudGlyIENlcnRpZmlj
YXRlIEF1dGhvcml0eTAeFw0wODAyMjYwNjQ5NTVaFw0xMzAyMjQwNjQ5NTVaMH8x
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMR4wHAYDVQQKExVQYWxh
bnRpciBUZWNobm9sb2dpZXMxHzAdBgNVBAsTFlBHIEJhY2tlbmQgRW5naW5lZXJp
bmcxGjAYBgNVBAMTEWZsaW50Lnlvam9lLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxabF50UKqzHKk01hNRtzBXG1NQUxLqk/TLvwYBpsW8NA
dbjwhBeDIyuqUuXj/90jsQ78rr5l0Qkajp+5dbmN3/VG7FBGQKx91VSuuGCFU7LC
lJ5YLPCtoWeI9A6qy1Ae5Z1/KAWSlVnGxjem71xW+zzbvC+Mdlc+mYtFm7nEOib6
vxoB2OtB2QIKpvN00VzGfF0czTcswLMElwBRIyOG/KcFE2DMHTVs4k6T7vaUC5oS
GMXRMy+dEyjXqaF392doeSqpb43yr2bJMfVxOs2t2AkqQnjgrWxImEVUyCQLZHgY
rpGamvAgNUPxiRgsb4hqHDXzFApsKfXw2iZNdtkEBQIDAQABMA0GCSqGSIb3DQEB
BAUAA4IBAQB0RbDK5D/6ndxSBermRwmUNkUFbSh+e6dB8g4GEnRiRKReoPaBkJeG
UMZU2Rv9xZZBO+vN5USHbY8syfGNdHPNn8nndD5PJk4InBfBgcxlepzVK46sHuar
+VRERk6b7RnP3vvbaBIAEG4h1+bdm5CANCexo8yptJp6m8d3AKmqv+mjTmoLc3Y7
yTFVzCj8AyMJOHg1jE+paQSWDwe/Hya/01a8g6HaCLIVeLuHO0IWmIZ1oK+TiFt8
H7cSCmNwGa9oojK3P9PH7sJbVsV1uhm0vYn0Qdmb7toWu1eKit1NRyeEUFlc2T9B
h3N944gca4k+eMcAOrR7iBWUDwXMTVCr
—–END CERTIFICATE—–
Stick it in its own file, example.crt.
Create the PKCS#12 key
Concatenate the cert with the key file and then have OpenSSL convert it to PKCS#12
# cat example-key.pem example.crt > example.pem
# openssl pkcs12 -export -in example.pem -out example.pkcs12 -name “example”
Enter Export Password: (password is not echoed here, but you must enter something)
Verifying - Enter Export Password: (password is not echoed here, but you must enter something)
Verify it worked
As they say: if you didn’t test it, it doesn’t work. So now we verify that another tool that claims to ingest PCKS#12,
verify that it worked with a different tool. Here I use Java’s keytool:
# keytool -v -list -storetype pkcs12 -keystore example.pkcs12
Enter keystore password: password (whatever you set it to above)
Keystore type: pkcs12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: flint
Creation date: Feb 26, 2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=example.palantirtech.com, OU=Palantir TechBlog Examples, O=Palantir Technologies, ST=California, C=US
Issuer: CN=Palantir Certificate Authority, C=US, ST=California, L=Palo Alto, O=Palantir Technologies
Serial number: 100020
Valid from: Mon Feb 25 22:49:55 PST 2008 until: Sat Feb 23 22:49:55 PST 2013
Certificate fingerprints:
MD5: C2:4E:B0:62:D8:06:FB:10:77:A5:37:6C:C8:2F:2A:AF
SHA1: D2:B4:6B:0C:9D:3B:A4:94:B9:BF:25:E5:57:D6:96:FA:FB:84:A6:A7
*******************************************
*******************************************
You’re now good to go. As usual: additions, oversights, and comments welcome.