Squoggle

Mac's tech blog

Tag Archives: csr

Verifying Certs, Keys & CSRs – MD5 Sum

Leave a comment Posted by on September 14, 2019

Sometimes you will need to verify that a Cert or a CSR belong to a Key. You can do that by checking the MD5 sum of each file.

Get the MD5 sum from the Key:

$ openssl rsa -noout -modulus -in [key-file.key] | openssl md5

Get the MD5 sum from a CSR:

$ openssl req -noout -modulus -in [CSR-file.csr] | openssl md5

Get the MD5 sum from a Cert:

openssl x509 -noout -modulus -in [certificate-file.crt] | openssl md5

Compare the resulting numbers. If they match then your files belong to each other. If they don’t match then there has been a mixup in the files somehow.

SSL/TLS/OpenSSL, Sys Admin , , , ,

OpenSSL Keys & CSRs

Leave a comment Posted by on September 14, 2019

An in depth read on OpenSSL for perusal.
https://wiki.nikhef.nl/grid/How_to_handle_OpenSSL_and_not_get_hurt_using_the_CLI

Create an Encrypted Key:

For Linux:

$ openssl genrsa -aes256 -out [encrypted.key] 2048
Generating RSA private key, 2048 bit long modulus
......+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for [encrypted.key]:
Verifying - Enter pass phrase for [encrypted.key]:

Enter the passphrase and verify.

You should end up with the key file in the format of [encrypted.key]

The above encrypts the key with aes256 cipher.

Create an un-encrypted key:

Optionally you can create an un-encrypted or insecure key:

$ openssl genrsa -out [un-encrypted.key] 2048

You should end up with the key file in the format of [un-encrypted.key] but the key is not encrypted.

Decrypt an encrypted key:

If you have an encrypted key and need to decrypt it:

$ openssl rsa -in [encrypted.key] -out [un-encrypted.key]
Enter pass phrase for [encrypted.key]:
writing RSA key

Enter the passphrase.

You should end up with a new file in the format of [un-encrypted.key]. This new file will contain the un-encrypted key.

Encrypt an un-encrypted key:

If you have an un-encrypted key and you want to encrypt it:

$ openssl rsa -aes256 -in [un-encrypted.key] -out [encrypted.key]

Enter the passphrase and verify.

You should end up with the key file in the format of [encrypted.key]

The above encrypts the key with aes256 cipher.

Check a key to see if it is encrypted:

If you’re not sure if the key is encrypted you can simply assume it is encrypted and attempt to decrypt it with no out file:

$ openssl rsa -text -noout -in [encrypted.key]

If it is encrypted it will ask for the password.

Or simply look at the first few lines of the key file to see if it is encrypted:

$ head www.jimmysbarandgrill.com.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,08C9A49D5267E47563D31DCE27429389

yJj1gFqTrRuc8VBX9Rx7LZYlmLV0+WutvYhrMBjTU+8ZDBIsmeEDxW44durw/BjS
i07biVOwAIMwW7hE9oAYOiJy5JqgYuMtVT/hMwEvP9t/8ME4FUCZ1MUxGR25hg5H

Create a CSR (Certificate Signing Request) from a Key:

The key can be an encrypted key or an un-encrypted key. If it is encrypted you will be asked for the key password.

Example:

$ openssl req -new -key www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.csr
Enter pass phrase for www.jimmysbarandgrill.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Idaho
Locality Name (eg, city) []:Pocatello
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Jimmy's Bar and Grill
Organizational Unit Name (eg, section) []:Dishwashing
Common Name (e.g. server FQDN or YOUR name) []:www.jimmysbarandgrill.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Keep in mind that the State must not be abbreviated. You should not use a challenge password. You should not use an optional company name.

Create a CSR from a Key with one liner command:

You can create the CSR from an existing Key with a one liner command or non-interactively with something like this:

openssl req -new -key www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.csr -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar and Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"

The above command assumes you already have a key created with the key name listed in the command.

Create an Un-encrypted Key & CSR with one liner command:

You can create the Un-encrypted Key and CSR with one command like this:

Example:

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"

The above command uses the -nodes flag to turn off encryption of the key.

Create an Encrypted Key & CSR with one liner command:

You can create an Encrypted Key with accompanying CSR with one command like this:

Example:

$ openssl req -new -newkey rsa:2048 -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com"

Essentially you just remove the -nodes flag. This does not seem to give the opportunity of specifying the cipher to use on encrypting the key. This may or may not matter depending on the security posture. If it is important I’ve come up with a workaround hack one liner that seems to work:

$ openssl req -new -newkey rsa:2048 -nodes -sha256 -out www.jimmysbarandgrill.com.csr -keyout www.jimmysbarandgrill.com.key -subj "/C=US/ST=Idaho/L=Pocatello/O=Jimmy's Bar & Grill/OU=Dishwashing/CN=www.jimmysbarandgrill.com" && openssl rsa -aes256 -in www.jimmysbarandgrill.com.key -out www.jimmysbarandgrill.com.key

The above example creates an un-encrypted key, creates the CSR from it, then encrypts the key. This command will result in an encrypted key file named www.jimmysbarandgrill.com.key and a CSR file named www.jimmysbarandgrill.com.csr.

Now all I need to do is figure out how to remove the automatic hyperlinks on these file names above.

Check a CSR:

Now that you have the CSR you should check it to ensure it is valid. Here’s a command to display the contents of the CSR:

$ openssl req -noout -text -in [CSR-File.csr]

Using the example of the CSR that was just created it would look something like this:

$ openssl req -noout -text -in www.jimyysbarandgrill.com.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Idaho, L=Pocatello, O=Jimmy's Bar & Grill, OU=Dishwashing, CN=www.jimyysbarandgrill.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:f0:e5:f5:c6:97:01:0b:ba:59:fd:2a:97:09:
                    4f:42:05:4c:53:bc:c3:8b:75:e6:e3:2b:e2:f7:1f:
                    8b:90:38:16:73:40:5e:f3:2a:ad:04:73:06:12:6e:
                    40:ff:4d:1a:b9:e4:41:07:d6:db:96:d4:fa:61:9a:
                    5f:03:fa:f9:92:d7:a0:19:56:1c:64:e7:4d:d6:cf:
                    ea:27:0e:b6:09:cd:22:e2:99:c3:66:8f:f2:ef:96:
                    aa:cc:6f:c7:a9:2c:79:28:20:91:6d:b8:2a:96:40:
                    bd:b2:60:b7:2f:59:1b:04:30:5d:1f:85:26:81:6b:
                    61:9e:8c:be:a5:bd:d3:3d:39:b7:86:d6:9a:30:74:
                    fe:59:a1:d6:39:7a:8b:f2:26:62:e2:3d:c6:a9:fe:
                    66:dd:9d:21:07:c4:c9:5b:12:93:21:22:7c:f2:d5:
                    21:0b:a8:89:bc:b3:b0:99:6d:d9:3c:d0:1d:6a:a7:
                    8c:90:64:e2:12:2a:ea:a7:49:e2:80:01:91:c9:da:
                    32:b5:41:6d:ae:ad:f2:77:a2:48:f4:66:6e:f1:35:
                    5f:47:f2:c9:4e:99:0b:9c:77:ff:71:19:43:b8:0b:
                    fe:74:0d:a4:bd:9c:e0:b0:ae:71:0b:4f:db:09:0d:
                    9b:91:46:e8:dc:db:ea:42:27:b8:ba:10:56:d0:6b:
                    0a:17
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         5b:38:5f:10:f4:0a:73:05:b7:e3:21:f8:d2:3b:ee:e7:dd:4b:
         65:d0:f8:bc:47:7d:0d:d4:fa:9b:28:6d:6c:52:be:74:de:62:
         e1:ae:99:fc:85:e6:99:65:a2:c8:b7:56:5a:0f:aa:49:ff:f8:
         68:ed:9d:6f:48:75:49:78:8e:67:95:39:ee:96:bc:f3:20:8f:
         a3:31:7a:a8:49:30:80:7a:f4:27:41:ba:91:ba:ad:63:84:06:
         95:70:86:2b:be:e2:0f:9a:26:d4:21:34:61:c2:21:d2:75:51:
         3f:39:fa:ed:f1:92:d5:ff:12:03:cb:1a:56:f8:c9:e5:6d:00:
         78:61:c3:12:90:69:80:a0:c9:71:7e:42:ff:ce:f1:35:a1:08:
         9e:fd:62:d8:77:8d:5d:74:4b:6d:41:1f:a4:f8:d6:14:c6:ca:
         1f:bd:9a:8a:43:ac:da:bb:d6:4d:f9:d2:15:a1:5f:59:b0:da:
         82:78:64:67:39:d9:49:49:1a:e6:7d:9e:bf:5d:11:0b:fb:57:
         3d:f0:c5:64:da:15:a7:d7:28:63:4e:5d:7f:0c:2e:e6:7d:2e:
         f5:8c:43:36:1e:3b:15:52:cc:5a:cc:82:50:23:09:c8:fa:63:
         ff:19:30:6a:1a:ed:63:b5:5d:c0:be:20:67:3d:01:8b:b0:4d:
         0d:01:8e:af

Get Public Key from a Private Key

You can get the Public Key from a Private Key with something like this:

$ openssl pkey -in [private.key] -pubout -out [public.key]
SSL/TLS/OpenSSL, Sys Admin , , ,