Certificate Signing Request and private key for SSL Certificate
The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and the web browser. SSL uses public key cryptography where two keys are created one is public and another is private. Data is encrypted with server’s private key and can be decrypted by its corresponding public key only. To ensure certificate holder is legitimate a digitally signed certificate is used which is issued by CA (certificate authority like: VeriSign) otherwise browser will show warning message.
The Secure Socket Layer (SSL) is used to encrypt the data stream between the web server and the web browser. SSL uses public key cryptography where two keys are created one is public and another is private. Data is encrypted with server’s private key and can be decrypted by its corresponding public key only. To ensure certificate holder is legitimate a digitally signed certificate is used which is issued by CA (certificate authority like: VeriSign) otherwise browser will show warning message.
Generating private key:
Openssl toolkit is used for creating a CRS (certificate signing request) and private key. It can also be used for creating a self-signed SSL certificates or we can get it signed by CA (Certificate Authority).
Our first step is to create a private key.
nixvilla@nixvilla-dev-vm:$ sudo openssl genrsa -out example.com.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
............................+++
e is 65537 (0x10001)
Above command will generate a RSA private key with 2048 bit which uses Triple-DES encryption which is readable as ASCII text.
2048 bit size key ensures that it can’t be easily cracked by brute force methods. If private key is broken the connections initiated with it would be exposed to whoever has the key.
Generating CSR (Certificate signing request):
After generating private key, we can generate the CSR file which will be used for generating certificate. A certificate can be self-signed or can be signed by any certified authority (CA).
nixvilla@nixvilla-dev-vm:$ sudo openssl req -new -key example.com.key -out example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:India
Locality Name (eg, city) []:New Delhi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:IT dept.
Common Name (eg, YOUR name) []:*.example.com
Email Address []:contact@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
A certificate authority (CA) will use this CSR to create SSL certificate.We should keep our private key secret.
Decoding CRS:
We can decode CSR file by the following openssl command.
nixvilla@nixvilla-dev-vm:$ openssl req -in example.com.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=India, L=New Delhi, O=Example, OU=IT dept., CN=*.example
le.com/emailAddress=contact@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ea:50:6d:13:b2:cb:2c:f6:61:c1:d5:c9:21:8a:
b6:ef:f9:9c:91:71:0c:b2:c0:d1:68:0a:19:5b:4b:
45:c9:2f:df:44:93:1f:8f:65:5a:fb:30:9c:0f:4a:
2c:17:85:5f:90:48:2b:c2:65:5f:79:18:a0:c5:c8:
fc:6d:8e:9f:5a:0c:c7:87:7e:6e:57:f1:1e:3b:0b:
41:8e:81:67:53:54:40:c2:04:75:00:b4:26:bf:f1:
26:c9:60:39:b9:09:71:5f:98:89:b1:0e:56:44:51:
b4:79:64:0c:ad:a9:e4:cb:a2:d1:7a:c6:7b:bb:18:
f3:d3:f4:fc:bc:70:85:39:92:a0:51:89:61:ac:19:
b2:7c:82:6b:f8:c4:c4:34:fa:78:d5:b8:8b:51:d7:
ba:5f:6c:b3:93:c7:06:91:dc:e1:ee:3b:09:63:05:
8c:5b:06:d9:fb:44:43:34:81:af:10:35:53:ef:c8:
8d:b3:c4:13:94:ae:ec:c9:0b:d7:0c:42:ab:30:88:
a7:f0:78:f2:d1:67:7e:bd:2a:72:47:f4:19:0b:fe:
ed:9e:d6:6d:01:00:3b:f9:5b:05:16:16:c1:06:09:
a7:fb:4c:8c:e9:e2:f3:06:08:68:cc:cf:2f:cb:d4:
76:99:a6:ef:ca:ba:9c:17:40:7d:9d:89:17:61:c5:
36:bf
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
ca:a5:ff:d3:b4:e3:3f:10:8d:23:b2:4b:7b:ea:5b:86:d6:35:
ae:1f:e1:e6:de:b1:e2:d8:7c:e0:1b:77:ed:b3:76:a6:9d:9f:
5f:13:8a:09:06:34:93:ea:4c:15:87:6d:2b:71:a4:e7:bc:38:
7b:00:39:d3:ee:4a:42:cc:2d:e8:d3:47:be:a1:bc:41:8a:35:
9e:e8:63:25:79:a8:de:d5:89:b4:24:56:fa:00:77:5d:63:5f:
7b:0e:d2:4f:92:3b:a2:05:5b:31:d8:80:ad:4c:5b:dc:b3:d1:
5b:3a:9e:b5:f4:3a:c0:41:a8:29:38:71:c0:bc:d1:d7:06:53:
46:d0:e5:04:2b:47:c1:59:81:e9:17:78:40:79:79:1d:78:21:
13:ed:ae:e0:a4:c9:b0:f3:c5:88:9a:fd:8b:c8:15:dd:c2:80:
6a:6e:86:17:f9:1a:ec:08:b6:7a:b6:6c:7a:5a:0d:39:01:87:
35:00:ed:f3:9a:21:44:79:ae:b5:f5:79:34:24:08:02:31:5f:
b9:cc:54:33:ee:f6:4f:76:0f:bc:5f:dd:eb:5b:da:f8:90:da:
26:00:26:a6:6c:2f:43:cf:79:6e:31:f3:ce:fb:bb:43:0d:be:
05:8c:47:ab:47:d7:3b:6f:8f:38:5f:39:78:11:d8:b1:8c:66:
99:04:f0:48
This can be used to cross-check the information before getting the certificate.
These are the following information that we can re-check from CSR:
- The bit-length of a CSR and private key pair.
- organization name
- organizational unit name
- common name (domain name)
- locality name
- Country name in 2 letter code.
0 comments:
Post a Comment