]>
Commit | Line | Data |
---|---|---|
fdaf7842 JY |
1 | # Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure\r |
2 | \r | |
3 | This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates.\r | |
4 | \r | |
5 | ## How to generate a self-signed X.509 certificate chain via OPENSSL\r | |
6 | * Set OPENSSL environment.\r | |
7 | \r | |
8 | NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.\r | |
9 | \r | |
10 | set OPENSSL_HOME=c:\home\openssl\openssl-[version]\r | |
11 | set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf\r | |
12 | \r | |
13 | When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).\r | |
14 | \r | |
15 | The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.\r | |
16 | \r | |
17 | [ CA_default ]\r | |
18 | dir = ./demoCA # Where everything is kept\r | |
19 | \r | |
20 | You may need the following steps for initialization:\r | |
21 | \r | |
22 | rd ./demoCA /S/Q\r | |
23 | mkdir ./demoCA\r | |
24 | echo "" > ./demoCA/index.txt\r | |
25 | echo 01 > ./demoCA/serial\r | |
26 | mkdir ./demoCA/newcerts\r | |
27 | \r | |
28 | * Generate the certificate chain:\r | |
29 | \r | |
30 | NOTE: User MUST set a UNIQUE "Common Name" on the different certificate\r | |
31 | \r | |
32 | 1) Generate the Root Pair:\r | |
33 | \r | |
34 | Generate a root key:\r | |
35 | \r | |
36 | openssl genrsa -aes256 -out TestRoot.key 2048\r | |
37 | \r | |
38 | Generate a self-signed root certificate:\r | |
39 | \r | |
40 | openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt\r | |
41 | openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER\r | |
42 | openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem\r | |
43 | \r | |
44 | 2) Generate the Intermediate Pair:\r | |
45 | \r | |
46 | Generate the intermediate key:\r | |
47 | \r | |
48 | openssl genrsa -aes256 -out TestSub.key 2048\r | |
49 | \r | |
50 | Generate the intermediate certificate:\r | |
51 | \r | |
52 | openssl req -new -days 3650 -key TestSub.key -out TestSub.csr\r | |
53 | openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key\r | |
54 | openssl x509 -in TestSub.crt -out TestSub.cer -outform DER\r | |
55 | openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem\r | |
56 | \r | |
57 | 3) Generate User Key Pair for Data Signing:\r | |
58 | \r | |
59 | Generate User key:\r | |
60 | \r | |
61 | openssl genrsa -aes256 -out TestCert.key 2048\r | |
62 | \r | |
63 | Generate User certificate:\r | |
64 | \r | |
65 | openssl req -new -days 3650 -key TestCert.key -out TestCert.csr\r | |
66 | openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`\r | |
67 | openssl x509 -in TestCert.crt -out TestCert.cer -outform DER\r | |
68 | openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem\r | |
69 | \r | |
70 | Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample.\r | |
71 | \r | |
72 | openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt\r | |
73 | openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem\r | |
74 | \r | |
75 | * Verify Data Signing & Verification with new X.509 Certificate Chain\r | |
76 | \r | |
77 | 1) Sign a Binary File to generate a detached PKCS7 signature:\r | |
78 | \r | |
79 | openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin\r | |
80 | \r | |
81 | 2) Verify PKCS7 Signature of a Binary File:\r | |
82 | \r | |
83 | openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin\r | |
84 | \r |