Wednesday November 12, 2008
Wednesday November 12, 2008
Public/Private keys and X.509 certificate
Browsing here and there I gathered the following steps to create a set of public/private keys to digitally sign messages (or assertions) along with the corresponding X.509 certificate (for the public key). The following steps assume OS X but most of it, being based on openssl, is pretty UNIX generic. Hopefully it can save someone else from searching for such info...
- Creating key pair
keytool -genkey -alias SL -keyalg RSA -validity 365 -keystore keys/my.keystore - Displaying the result
(cd keys)
keytool -list -keystore my.keystore
keytool -list -v -keystore my.keystore - Creating a CSR
(cd ..)
keytool -certreq -keystore keys/my.keystore -alias sl -file SL_certification_signing_Request.pem
openssl req -noout -text -in SL_certification_signing_Request.pem - Resetting counter to 0
(mkdir demoCA)
echo 00 > demoCA/serial - Creating a CA
/System/Library/OpenSSL/misc/CA.pl -newca
[You'll need to remember that PEM pass phrase] - Signing the certificate request
openssl ca -in SL_certification_signing_Request.pem -out signed_cert_request.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem - Verifying that the client cert was indeed signed by the CA
openssl verify -CAfile demoCA/cacert.pem signed_cert_request.pem
Additionaly, you may have to convert the certificate to something that's easier to deal with programmatically.
I have successfully used the following commands to do so:
- Converting signed certificate into file certificate with only data between "----CERTIFICATE---"
openssl x509 -in signed_cert_request.pem -out signed2_cert_request.pem - Converting certificate into a PKCS#7 file
openssl crl2pkcs7 -nocrl -certfile signed2_cert_request.pem -certfile demoCA/cacert.pem -outform DER -out certificate.p7c
Posted at 07:02AM Nov 12, 2008 by Hubert Le Van Gong in General | Comments[0]
Comments:
