Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Appendix B. OpenSSL Certificate Reference
B.1. Reference of Certificates
링크 복사링크가 클립보드에 복사되었습니다!
This reference for creating and managing certificates with the
openssl command assumes familiarity with SSL. For more background information on SSL refer to the OpenSSL documentation at www.openssl.org.
Important
It is recommended that only certificates signed by an authentic Certificate Authority (CA) are used for secure systems. Instructions in this section for generating self-signed certificates are meant to facilitate test and development activities or evaluation of software while waiting for a certificate from an authentic CA.
Generating Certificates
Procedure B.1. Create a Private Key
- Use this command to generate a 1024-bit RSA private key with file encryption. If the key file is encrypted, the password will be needed every time an application accesses the private key.
openssl genrsa -des3 -out mykey.pem 1024
# openssl genrsa -des3 -out mykey.pem 1024Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use this command to generate a key without file encryption:openssl genrsa -out mykey.pem 1024
# openssl genrsa -out mykey.pem 1024Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure B.2. Create a Self-Signed Certificate
Each of the following commands generates a new private key and a self-signed certificate, which acts as its own CA and does not need additional signatures. This certificate expires one week from the time it is generated.
- The
nodesoption causes the key to be stored without encryption. OpenSSL will prompt for values needed to create the certificate.openssl req -x509 -nodes -days 7 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
# openssl req -x509 -nodes -days 7 -newkey rsa:1024 -keyout mykey.pem -out mycert.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The
subjoption can be used to specify values and avoid interactive prompts, for example:openssl req -x509 -nodes -days 7 -subj '/C=US/ST=NC/L=Raleigh/CN=www.redhat.com' -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
# openssl req -x509 -nodes -days 7 -subj '/C=US/ST=NC/L=Raleigh/CN=www.redhat.com' -newkey rsa:1024 -keyout mykey.pem -out mycert.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The
newandkeyoptions generate a certificate using an existing key instead of generating a new one.openssl req -x509 -nodes -days 7 -new -key mykey.pem -out mycert.pem
# openssl req -x509 -nodes -days 7 -new -key mykey.pem -out mycert.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Create a Certificate Signing Request
To generate a certificate and have it signed by a Certificate Authority (CA), you need to generate a certificate signing request (CSR):
openssl req -new -key mykey.pem -out myreq.pem
# openssl req -new -key mykey.pem -out myreq.pem
The certificate signing request can now be sent to an authentic Certificate Authority for signing and a valid signed certificate will be returned. The exact procedure to send the CSR and receive the signed certificate depend on the particular Certificate Authority you use.
Create Your Own Certificate Authority
You can create your own Certificate Authority and use it to sign certificate requests. If the Certificate Authority is added as a trusted authority on a system, any certificates signed by the Certificate Authority will be valid on that system. This option is useful if a large number of certificates are needed temporarily.
- Create a self-signed certificate for the CA, as described in Procedure B.2, “Create a Self-Signed Certificate”.
- OpenSSL needs the following files set up for the CA to sign certificates. On a Red Hat Enterprise Linux system with a fresh OpenSSL installation using a default configuration, set up the following files:
- Set the path for the CA certificate file as
/etc/pki/CA/cacert.pem. - Set the path for the CA private key file as
/etc/pki/CA/private/cakey.pem. - Create a zero-length index file at
/etc/pki/CA/index.txt. - Create a file containing an initial serial number (for example, 01) at
/etc/pki/CA/serial. - The following steps must be performed on RHEL 5:
- Create the directory where new certificates will be stored:
/etc/pki/CA/newcerts. - Change to the certificate directory:
cd /etc/pki/tls/certs.
- The following command signs a CSR using the CA:
openssl ca -notext -out mynewcert.pem -infiles myreq.pem
# openssl ca -notext -out mynewcert.pem -infiles myreq.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Install a Certificate
- For OpenSSL to recognize a certificate, a hash-based symbolic link must be generated in the
certsdirectory./etc/pki/tlsis the parent of thecertsdirectory in Red Hat Enterprise Linux's version of OpenSSL. Use theversioncommand to check the parent directory:openssl version -d
# openssl version -d OPENSSLDIR: "/etc/pki/tls"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create the required symbolic link for a certificate using the following command:
ln -s certfile `openssl x509 -noout -hash -in certfile`.0
# ln -s certfile `openssl x509 -noout -hash -in certfile`.0Copy to Clipboard Copied! Toggle word wrap Toggle overflow It is possible for more than one certificate to have the same hash value. If this is the case, change the suffix on the link name to a higher number. For example:ln -s certfile `openssl x509 -noout -hash -in certfile`.4
# ln -s certfile `openssl x509 -noout -hash -in certfile`.4Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Examine Values in a Certificate
The content of a certificate can be seen in plain text with this command:
openssl x509 -text -in mycert.pem
# openssl x509 -text -in mycert.pem
Exporting a Certificate from NSS into PEM Format
Certificates stored in an NSS certificate database can be exported and converted to PEM format in several ways:
- This command exports a certificate with a specified nickname from an NSS database:
certutil -d . -L -n "Some Cert" -a > somecert.pem
# certutil -d . -L -n "Some Cert" -a > somecert.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - These commands can be used together to export certificates and private keys from an NSS database and convert them to PEM format. They produce a file containing the client certificate, the certificate of its CA, and the private key.
pk12util -d . -n "Some Cert" -o somecert.pk12 openssl pkcs12 -in somecert.pk12 -out tmckay.pem
# pk12util -d . -n "Some Cert" -o somecert.pk12 # openssl pkcs12 -in somecert.pk12 -out tmckay.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow See documentation for theopenssl pkcs12command for options that limit the content of the PEM output file.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}