Openssl and certificates

  Security
 

This article explains how to use openssl for creating, converting and managing the all possible type of ssl certificates looking inside the CA and the certificates.

The discussion is divided into three sections: certificate understanding, creating and managing ssl certificate and converting ssl certificate.

Let’s start with the first section.

SSL Certificate understanding

A ssl certificate is a way to permit to client to authenticate the server ensuring to talk with the right site owned by domain name contacted: no malicious user can stolen reserve information with a main in the middle attack. It ensures a secure authenticated communication.

A certificate is composed by:

  1. Public-Key Algoritm. Generally RSA.
  2. Public-Key. A modulus of 2048 bits (generally) and a public exponent.
  3. A certificate hash, generally with SHA 256 bits, signed by certification authority private key. Every browser has inside a list of valid certification authority.

The client for authenticating the server must:

  1. Decrypt the signature with the certification authority public key.
  2. Make a certificate hash and verify that it is equal to value found below.

This approach assures to client to talk to the server with which wanted to.

Every certification authority has its certificate signed by upper CA and so on up to root authority. This forms a certificate chain. The authentication server is not guaranteed and an error is showed if the browser doesn’t have the root certificate or one of the chain.

Openssl is very useful command to manage and investigate about ssl certificates. Following a first example that permits to show all information about www.sslabs.com’s certificate:

root@kali:/tmp# echo |openssl s_client -showcerts -connect www.ssllabs.com:443 -servername www.ssllabs.com

This command shows three certificates and all the certificate chain (thanks to showcerts option) to described below:

Certificate chain

The three certificates are related to these common names: CN=sslabs, CN=Entrust Root Certification Authority – G2 and CN=Entrust Certification Authority – L1K. The only certificate that the client must have to certify all the chain is the root CA.

For showing the server’s certificate:

root@kali:~# echo |openssl s_client -showcerts -connect www.ssllabs.com:443 -servername www.ssllabs.com |sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’|openssl x509  -noout -text

The command above establishs a ssl connection to server, filter all data bewteen the first BEGIN and END Certificate and execute openssl command with filtered input. The effect is to show the server’s certificate.The important option is x509: format and syntax used for describing a certificate. This option permit to show a x509 certificate decoded in PEM: base64 decoding.

Following an example (I cut different not useful lines for having less output):

root@kali:~# more www.ssllabs.com.cer
—–BEGIN CERTIFICATE—–
MIIFLzCCBBegAwIBAgIEUNNZ8DANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMC
OTHER-LINES-LIKE-THAT-CUT-zhFqtJc5U1Va7L1iotMeMDL60o13BBnKZlsPQJeECjl9ZGQ=
—–END CERTIFICATE—–
root@kali:~# openssl x509 -in www.ssllabs.com.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1356028400 (0x50d359f0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. – for authorized use only, CN=Entrust Certification Authority – L1K
Validity
Not Before: Feb 22 12:16:41 2015 GMT
Not After : May 22 23:00:02 2018 GMT
Subject: C=US, ST=California, L=Redwood City, O=Qualys, Inc., CN=ssllabs.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:a8:4d:a2:19:c9:2c:50:44:68:82:8a:5a:99:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.entrust.net/level1k.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114028.10.1.5
CPS: http://www.entrust.net/rpa
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP – URI:http://ocsp.entrust.net
CA Issuers – URI:http://aia.entrust.net/l1k-chain256.cer
X509v3 Subject Alternative Name:
DNS:ssllabs.com, DNS:*.ssllabs.com
X509v3 Authority Key Identifier:
keyid:82:A2:70:74:DD:BC:53:3F:CF:7B:D4:F7:CD:7F:A7:60:C6:0A:4C:BF-OTHER-LINES-CUT
X509v3 Subject Key Identifier:
B8:FC:F8:B6:E2:DE:3A:4E:6A:EF:F3:9A:79:B7:4D:24:21:6E:12:62-OTHER-LINES-CUT
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
aa:a4:30:43:0b:5c:3d:4a:64:ae:5b:ea:be:ec:ce:af:d8:ec:

This is the the way to show a x509 certificate decoded in PEM format. The default certificate format exchanged during ssl handshake is PEM.

Meaning of the more important fields:

  1. Issuer: Certification Authority that has signed the certificate.
  2. Subject: Certificate Common Name.
  3. Signature Algorithm. Algoritm used for signing the certificate.
  4. Modulus: Public Key. Generally 2048 bits.
  5. X509v3 CRL Distribution Points: Certificate Revocation List (CRL): list of every Entrust SSL Certificate that has been revoked.
  6. OCSP: URL for checking the ssl certificate’s validity. This is an alternative to Revocation List.
  7. Signature: Certification Autority Signature.

Example below shows how to check the validity of a certificate by OCSP protocol:

[root@nikto ~]# openssl ocsp -issuer chain.pem -cert sslabs.cert -text -url http://ocsp.entrust.net 2>&1| grep “good”
Cert Status: good
sslabs.cert: good

sslabs.cert is the www.ssllabs.com certificate; chain.pem contains the other two chain certificates. If for some reason the certificate has been revoked, the answer is sslabs: revoked.

After this introduction about certificate’s meaning, let’s start to focus to create and manage ssl certificate.

Creating and managing ssl certificate

The first step to do for creating a certificate is to make a CSR (Certification signing request) to send it to some certification authority to be signed. After signing the CSR, the CA issues the certificate. The certificate private key must not sent to CA: it must be saved carefully by certificate owner.

For showing how to proceed, we will create a new CA for signing the CSR with openssl command:

[root@nikto CA]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca_private.key -out ca.cer
Generating a 2048 bit RSA private key
…………………………………+++
..+++
writing new private key to ‘ca_private.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:IT
State or Province Name (full name) []:Milan
Locality Name (eg, city) [Default City]:Milan
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server’s hostname) []:ca.com
Email Address []:st@ca.com

The option req requests a certificate; the symmetric algorithm chosen is RSA and the key lenght is 2048 bits; nodes option is for not crypting the key.

The certificate and the key issued are in PEM format. The option rsa is necessary for exploring the private key (I cut for simplicity different hexadecimal lines):

[root@nikto CA]# openssl rsa -in ca_private.key -noout -text
Private-Key: (2048 bit)
modulus:
00:d6:b0:36:c6:51:d4:84:fa:15:e5:3f:3d:6d:30:
7e:63
publicExponent: 65537 (0x10001)
privateExponent:
00:93:0f:e0:65:97:96:69:84:da:4c:d0:36:26:be:
58:f9
prime1:
00:f2:ee:22:39:70:7d:5b:e7:0b:e9:9b:60:ff:b1:
21:a8:e6:bf:0f:1f:fd:e6:67
prime2:
00:e2:3d:1b:35:0c:91:26:b5:8c:9a:1b:1b:f3:89:
84:66:84:76:6d:a1:eb:52:a5
exponent1:
00:a1:40:6c:bb:4f:ee:06:48:f1:61:59:60:23:99:
02:90:c8:c9:dd:d2:50:88:d5
exponent2:
1d:e5:1d:37:41:55:dc:db:98:9c:b4:80:59:0a:07:
9d:03:5b:f2:d8:b6:93:d1
coefficient:
00:eb:e7:d8:84:a1:cc:9e:94:fc:03:e5:07:f4:65:
6f:ed:c6:80:95:66:00:19:1c

Important information present in the RSA private key:

  1. Modulus and publicExponent: public rsa key present in the SSL certificate.
  2. Prime1 and Prime2. Secret number primes. Modulus is equal to Prime1*Prime2.
  3. PrivateExponent: Private rsa key.

This relation exists:

PublicExponent*PrivateExponent=1* (mod ((prime1-1)(prime2-1)))

For exploiting the private key it needs to discover the two number primes: it’s impossible, fortunately, in a reasonable time. This is the strength of RSA.

Let’s start now to create a new private key and a CSR for test1.sysandnetsecurity.com:

[root@nikto CA]# openssl req -out test1.sysandnetsecurity.com.csr -new -newkey rsa:2048 -nodes -keyout test1.sysandnetsecurity.com.key
Generating a 2048 bit RSA private key
………………………………………………….+++
……………………………………………..+++
writing new private key to ‘test1.sysandnetsecurity.com.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:IT
State or Province Name (full name) []:Italy
Locality Name (eg, city) [Default City]:Milan
Organization Name (eg, company) [Default Company Ltd]:sysandnetsecurity.com
Organizational Unit Name (eg, section) []:sysandnetsecurity.com
Common Name (eg, your name or your server’s hostname) []:test1.sysandnetsecurity.com
Email Address []:sys@sysandnetsecurity.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally, let’s sign the CSR with the CA private key. After this step we get the certificate in PEM format.

[root@nikto CA]# openssl x509 -req -in test1.sysandnetsecurity.com.csr -extensions v3_usr -CA ca.cer -CAkey ca_private.key -CAcreateserial -out test1.sysandnetsecurity.com.cer
Signature ok
subject=/C=IT/ST=Italy/L=Milan/O=sysandnetsecurity.com/OU=sysandnetsecurity.com/
CN=test1.sysandnetsecurity.com/emailAddress=sys@sysandnetsecurity.com
Getting CA Private Key

The certificate and the key are ready to be used. For checking that the private key is associated to public key present in the certificate, the modulus must match:

[root@nikto CA]# openssl x509 -noout -modulus -in test1.sysandnetsecurity.com.cer| openssl md5
(stdin)= e80173a2b0542d24a7af657db93846cc
[root@nikto CA]# openssl rsa -noout -modulus -in test1.sysandnetsecurity.com.key| openssl md5
(stdin)= e80173a2b0542d24a7af657db93846cc
[root@nikto CA]#

If the private key was created with password, we could delete the passphrase in this way:

openssl rsa -in test1.sysandnetsecurity.com.key -out test1.sysandnetsecurity.com.key.nopas

If we want to add more chain certificates in one only, it’s sufficient concatenate them by cat commands:

cat ca1.cer >> test1.sysandnetsecurity.com.cer

The new ssl certificate can be tested after configuring it in apache server:

[root@nikto html]# curl -v –insecure https://test1.sysandnetsecurity.com/index.html
* About to connect() to test1.sysandnetsecurity.com port 443 (#0)
* Trying 127.0.0.1…
* Connected to test1.sysandnetsecurity.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: E=sys@sysandnetsecurity.com,CN=test1.sysandnetsecurity.com,OU=sysandnetsecurity.com, O=sysandnetsecurity.com,L=Milan,ST=Italy,C=IT
* start date: Mar 13 19:42:13 2016 GMT
* expire date: Apr 12 19:42:13 2016 GMT
* common name: test1.sysandnetsecurity.com
* issuer: E=st@ca.com,CN=ca.com,OU=CA,O=CA,L=Milan,ST=Milan,C=IT
> GET /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: test1.sysandnetsecurity.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 13 Mar 2016 21:15:38 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
< Last-Modified: Sun, 13 Mar 2016 20:49:00 GMT
< ETag: “0-52df44b2e3a36”
< Accept-Ranges: bytes
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host test1.sysandnetsecurity.com left intact

We put insecure option because the Certification Autority is not known to curl client: we could avoid it using the option ‘–cacert ./ca.cer’ in curl command.

This is all for server authentication. But, what happens if the server requests a strong client authentication? The answer is simple: a new certificate signed with a CA known to server must be created.

For this purpose, the apache configuration and the curl command to use are showed below:

[root@nikto CA]# more /etc/httpd/conf.d/ssl.conf
DocumentRoot “/var/www/html”
ServerName test1.sysandnetsecurity.com:443
SSLVerifyClient require
SSLVerifyDepth 1
#CA certification for strong client authentication. The key is not necessary
SSLCACertificateFile “/etc/httpd/cert/ca.cer”
#Key and Server’s certificate
SSLCertificateFile /etc/httpd/cert/test1.sysandnetsecurity.com.cer
SSLCertificateKeyFile /etc/httpd/cert/test1.sysandnetsecurity.com.key
[root@nikto CA]# curl -v –cacert ./ca.cer https://test1.sysandnetsecurity.com
* About to connect() to test1.sysandnetsecurity.com port 443 (#0)
* Trying 127.0.0.1…
* Connected to test1.sysandnetsecurity.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./ca.cer
CApath: none
* NSS: client certificate not found (nickname not specified)
* NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
* SSL peer was unable to negotiate an acceptable set of security parameters.
* Closing connection 0
curl: (35) NSS: client certificate not found (nickname not specified)
[root@nikto CA]# curl -v –cert ./client.sysandnetsecurity.com.cer –key ./client.sysandnetsecurity.com.key –cacert ./ca.cer https://test1.sysandnetsecurity.com
* About to connect() to test1.sysandnetsecurity.com port 443 (#0)
* Trying 127.0.0.1…
* Connected to test1.sysandnetsecurity.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./ca.cer
CApath: none
* NSS: client certificate from file
* subject: E=s@client.com,CN=Client,OU=Client,O=Client,L=Milan,ST=IT,C=IT
* start date: Mar 13 21:50:01 2016 GMT
* expire date: Apr 12 21:50:01 2016 GMT
* common name: Client
* issuer: E=st@ca.com,CN=ca.com,OU=CA,O=CA,L=Milan,ST=Milan,C=IT
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: E=sys@sysandnetsecurity.com,CN=test1.sysandnetsecurity.com,OU=sysandnetsecurity.com, O=sysandnetsecurity.com,L=Milan,ST=Italy,C=IT
* start date: Mar 13 19:42:13 2016 GMT
* expire date: Apr 12 19:42:13 2016 GMT
* common name: test1.sysandnetsecurity.com
* issuer: E=st@ca.com,CN=ca.com,OU=CA,O=CA,L=Milan,ST=Milan,C=IT
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: test1.sysandnetsecurity.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 13 Mar 2016 22:03:51 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
< Last-Modified: Sun, 13 Mar 2016 20:49:00 GMT
< ETag: “0-52df44b2e3a36”
< Accept-Ranges: bytes
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host test1.sysandnetsecurity.com left intact

As you can see, the curl is tried without client certificate and ssl handshake is completed with error:  we got 200 OK after configured as parameters the key and client certificate.

The only thing to know for the server is the CA that signed the client certificate: it’s sufficient for trusting the client. No need for client certificate. This is a general rule: each ssl party (client or server) for trusting the remote party needed of only CA certificate.

In this context the PEM format certificate was used, but it’s not the only type. Different kind of format certificate exist to meet different application requirements. Next section describe all certification type and how to convert from a format to another.

Converting ssl certificate

The X.509 is the standard for format certificate in Internet. The syntax used for describing a certificate is ASN.1 and it’s well explained in RFC 5280: https://tools.ietf.org/html/rfc5280.

An X.509 certificate is distributed in different format: PEM, DER, PKCS#7 and PKCS12. The CA, for example, issues certificates in PEM format; the SSL protocol during handshake issues certificates in PEM format too.

X.509 describes the certificate structure via ASN.1;  PEM, DER, PKCS#7 and PKCS12 are encoding way to implement the X.509 guide.

This has to be be clear because in Internet there is e is a lot of confusion about that.

Let’s describe now the different format for decondig a X.509 certificate:

  1. PEM:  The PEM encoding contain ASCII (Base64) armored data prefixed with a “—– BEGIN”. Common extensions are .pem, .cer, .crt or .key.
  2. DER: The DER encoding is used for binary encoded certificates. Estensions arein .der.
  3. PKCS7: It’s base 64 encoding certificate and contains the certificate with all chain. Extensions are .p7b and .p7c..
  4. PKCS12. It’s binary encoding and it contains all chain certificate with the private key. It’s used in java and windows systems. Common extensions are .pfx and .p12.

Converting from PEM to DER and viceversa

[root@nikto CA]# openssl x509 -outform der -in client.sysandnetsecurity.com.cer -out client.sysandnetsecurity.com.der
#Show DER certificate in PEM format.
[root@nikto CA]# openssl x509 -inform der -in client.sysandnetsecurity.com.der
—–BEGIN CERTIFICATE—–
MIIDaDCCAlACCQDHcxQr9LfRpjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJJ
VDEOMAwGA1UECAwFTWlsYW4xDjAMBgNVBAcMBU1pbGFuMQswCQYDVQQKDAJDQTEL
MAkGA1UECwwCQ0ExDzANBgNVBAMMBmNhLmNvbTEYMBYGCSqGSIb3DQEJARYJc3RA
Y2EuY29tMB4XDTE2MDMxMzIxNTAwMVoXDTE2MDQxMjIxNTAwMVowejELMAkGA1UE
BhMCSVQxCzAJBgNVBAgMAklUMQ4wDAYDVQQHDAVNaWxhbjEPMA0GA1UECgwGQ2xp
ZW50MQ8wDQYDVQQLDAZDbGllbnQxDzANBgNVBAMMBkNsaWVudDEbMBkGCSqGSIb3
DQEJARYMc0BjbGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqz7LD0KxkXFC8nbZeBg0GiiMvSd8DBz96nXhv2R2IhfLjUrq6ADpG0iDm91p
TUAvDreB8EcHzUu7RaUEuinqrQzBWA7SrAW3ZTJGClXeeb5g68qLmqPzr+mcbD3I
tiLSplRqfVKTLuyxHyreveBxq3+cMu/NDq1t6wsnU0fbyUy54nW+akst4LHmUtG7
5gKyXHwyfko9ZdMsAIqTr22tWPKaLlB1PBTXH+3uoOVK5W/p2IXGmQJm0IsF4DGJ
gnWUkVXAeMOWTKfh8n2wxDcAAi4mnota52dR5ukveEmTLEHaH0EzHkv1/yPTwtxO
IZBtf3pBDl5Sm7wi4lobk4SSPQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAfSBW5
+pJdtm6/gDD0WmQyJ8dlrBDLhzx1oBloqxMXi7FznDWiDKBR5NP8PC2RNCAQ2E6e
ySdlrP2ys9eqWpT4FL3tcYUymALPwk3zV7LCDb9eyWMDjw/jMQwXgPgOPimDb3yJ
lSK1YsEYcernhlFZQRznhF9xd/xdDrMWAZruG/pWxB1BxoBBY/vtL4gptrWafjA8
wuMFmjDwtYr4JjFu6iRwty30gW6gC2kqp8Urus4uO82ip4oASc+6JnhojojoT+/X
qYXWm3bfajoNNVD3sogasjr9A/pLw2LlAIhEIRzbirVpe7Ej8k4pp7TxS2hZDh5b
N9XxsuEKgdXyu1Mo
—–END CERTIFICATE—–

Converting from PEM to P12 and viceversa

#Chain, key and CA converted in one only encrypted pk12 binary file.
[root@nikto CA]# openssl pkcs12 -export -out client.sysandnetsecurity.com.p12 -inkey client.sysandnetsecurity.com.key -in client.sysandnetsecurity.com.cer -certfile ca.cer
Enter Export Password:
Verifying – Enter Export Password:
#Returning in PEM format.
[root@nikto CA]# openssl pkcs12 -in client.sysandnetsecurity.com.p12 -nodes
Enter Import Password:
MAC verified OK
Bag Attributes
localKeyID: FB 19 A7 DE 3E E5 26 24 67 5C 80 C0 25 BB 42 AA AC 10 AF A7
subject=/C=IT/ST=IT/L=Milan/O=Client/OU=Client/CN=Client/emailAddress=s@client.com
issuer=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
—–BEGIN CERTIFICATE—–
MIIDaDCCAlACCQDHcxQr9LfRpjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJJ
VDEOMAwGA1UECAwFTWlsYW4xDjAMBgNVBAcMBU1pbGFuMQswCQYDVQQKDAJDQTEL
MAkGA1UECwwCQ0ExDzANBgNVBAMMBmNhLmNvbTEYMBYGCSqGSIb3DQEJARYJc3RA
Y2EuY29tMB4XDTE2MDMxMzIxNTAwMVoXDTE2MDQxMjIxNTAwMVowejELMAkGA1UE
BhMCSVQxCzAJBgNVBAgMAklUMQ4wDAYDVQQHDAVNaWxhbjEPMA0GA1UECgwGQ2xp
ZW50MQ8wDQYDVQQLDAZDbGllbnQxDzANBgNVBAMMBkNsaWVudDEbMBkGCSqGSIb3
DQEJARYMc0BjbGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqz7LD0KxkXFC8nbZeBg0GiiMvSd8DBz96nXhv2R2IhfLjUrq6ADpG0iDm91p
TUAvDreB8EcHzUu7RaUEuinqrQzBWA7SrAW3ZTJGClXeeb5g68qLmqPzr+mcbD3I
tiLSplRqfVKTLuyxHyreveBxq3+cMu/NDq1t6wsnU0fbyUy54nW+akst4LHmUtG7
5gKyXHwyfko9ZdMsAIqTr22tWPKaLlB1PBTXH+3uoOVK5W/p2IXGmQJm0IsF4DGJ
gnWUkVXAeMOWTKfh8n2wxDcAAi4mnota52dR5ukveEmTLEHaH0EzHkv1/yPTwtxO
IZBtf3pBDl5Sm7wi4lobk4SSPQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAfSBW5
+pJdtm6/gDD0WmQyJ8dlrBDLhzx1oBloqxMXi7FznDWiDKBR5NP8PC2RNCAQ2E6e
ySdlrP2ys9eqWpT4FL3tcYUymALPwk3zV7LCDb9eyWMDjw/jMQwXgPgOPimDb3yJ
lSK1YsEYcernhlFZQRznhF9xd/xdDrMWAZruG/pWxB1BxoBBY/vtL4gptrWafjA8
wuMFmjDwtYr4JjFu6iRwty30gW6gC2kqp8Urus4uO82ip4oASc+6JnhojojoT+/X
qYXWm3bfajoNNVD3sogasjr9A/pLw2LlAIhEIRzbirVpe7Ej8k4pp7TxS2hZDh5b
N9XxsuEKgdXyu1Mo
—–END CERTIFICATE—–
Bag Attributes: <No Attributes>
subject=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
issuer=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
—–BEGIN CERTIFICATE—–
MIIDtzCCAp+gAwIBAgIJAKJihofXreHhMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVNaWxhbjEOMAwGA1UEBwwFTWlsYW4xCzAJBgNVBAoM
AkNBMQswCQYDVQQLDAJDQTEPMA0GA1UEAwwGY2EuY29tMRgwFgYJKoZIhvcNAQkB
FglzdEBjYS5jb20wHhcNMTYwMzA5MTcyNDU4WhcNMTcwMzA5MTcyNDU4WjByMQsw
CQYDVQQGEwJJVDEOMAwGA1UECAwFTWlsYW4xDjAMBgNVBAcMBU1pbGFuMQswCQYD
VQQKDAJDQTELMAkGA1UECwwCQ0ExDzANBgNVBAMMBmNhLmNvbTEYMBYGCSqGSIb3
DQEJARYJc3RAY2EuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
1rA2xlHUhPoV5T89bTD0y/3r1lKf6nTY6zoQhwLYSWWDxX48TV84p1tDZ5sYHImh
ATk0lFUIpTCoGMxusn2KQNVTormLs4uwRJgVW1gMGzwAQU38CDlI2peMef/PQIrA
svXT2zmIpC3wgxO0ln+KSjNsvAdMqCtZzV/mKXrnuwGkD3d8e0YUF02Kj1H//Xie
btlqo3ybau5jWoXar/IjdK5/RhAUYJGMK9NePUov9hYx0ePsN1kUXg3mLuZi1R3y
L/vmWJOE3AlmptdNt1jr43y5Nn3kKyZzR8wZqGhp0kLjcQQFp6kYytk9bs8KSInP
HHfzKMIEbMkqV5zTOf9+YwIDAQABo1AwTjAdBgNVHQ4EFgQUMmppCl/yLS2KWOfZ
oHiHUG5JXDwwHwYDVR0jBBgwFoAUMmppCl/yLS2KWOfZoHiHUG5JXDwwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAz7HDPI/QRI2nzo7ZUwHiBHHSoYq9
+d71fqFlK6XKEfymHUJYrPwtDvLpifqOWaNjiP6KNSoWbfUUjS2GAWds5bhldMF5
y0bFtiEe+tTWi8APFXADDB5yaYzSk56SZHmNnpSAGMtXOG6NnvYMO3mHSx3egPRv
GqRWlBU5Wj87s3fMqn7JMy43Om/2w9zS32ET4S8deH7y8PnZN6ONYzWYxIjkVV4T
Hs7MPkuhvZqXHkLHXpguR1Xx2dBaCpeSUNcGwGPKou2bp4SW9QnmVBkjK939I0bP
I0jFrhPIBFVDBfevxDZRJo4hxOcD1Q7Y1Ejm+SaI06OQ+xsLYk6znzYlZw==
—–END CERTIFICATE—–
Bag Attributes
localKeyID: FB 19 A7 DE 3E E5 26 24 67 5C 80 C0 25 BB 42 AA AC 10 AF A7
Key Attributes: <No Attributes>
—–BEGIN PRIVATE KEY—–
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCrPssPQrGRcULy
dtl4GDQaKIy9J3wMHP3qdeG/ZHYiF8uNSuroAOkbSIOb3WlNQC8Ot4HwRwfNS7tF
pQS6KeqtDMFYDtKsBbdlMkYKVd55vmDryouao/Ov6ZxsPci2ItKmVGp9UpMu7LEf
Kt694HGrf5wy780OrW3rCydTR9vJTLnidb5qSy3gseZS0bvmArJcfDJ+Sj1l0ywA
ipOvba1Y8pouUHU8FNcf7e6g5Urlb+nYhcaZAmbQiwXgMYmCdZSRVcB4w5ZMp+Hy
fbDENwACLiaei1rnZ1Hm6S94SZMsQdofQTMeS/X/I9PC3E4hkG1/ekEOXlKbvCLi
WhuThJI9AgMBAAECggEAfvyuqh9j/B3IbnLx61vPb0J4s2BPXdA1/yLxh/NgowGQ
QbO3pNngAwpwBipXhyC8hKZSZjLWN0gclJW9fqvMygz2Z21+jnAiwplYVRu+QfuK
dfAaPE+uStnq1F2wtFf4a72Xxl1wpdCBvEIXMSj6Qhn8Y81t+59iLnVz8Q8NjiTv
cLPFb25DeVOvpd3rzNv0E7KNd0/kQDXd/A1r+JQTogme0+H+aqbSecdhL88+1/KS
8+YrakfQGSwFDJGIm75ZvGEt0khazPPJnWjWX+sDQfbzDUaV8uOJMwrgaHGOSdEl
ofPOxzr00PYYvHHcDF1Dtzt+lVrpXh/7c0eoKjeHRQKBgQDeSmkMk//BB5EzbO+2
P9os7qX/mSJYKLV4qRjHBoF+yLeperSwo0tcGWa2++7tWZfOYJsllp36y174FPLl
qgnzcwRpv4IjWRZioJYD1+KX+hqjw/efdxtgSjdHh2os/NCWLYbFAif+8ppo6xX5
9CzzZ3MK2Zb5yHaFmyoqhNFU1wKBgQDFNr15e7bv91IdQicE0WQI7QpmXDu4QL6p
WXBVvmtd7y7AcUZIpvCXgRW7fyOEDSf/CAxCymw/Y08Hkd3vwAFdFAqFJltzD3kV
lRiYx/nZpKo+Ti0qZJGEjHcPLs3SldOSfSdrC0JdNY5YGml2tzwV3VnuB8O0CJa2
Fkr4/F7bCwKBgCZKWQgSolaE0C00kaIqI5Hj1fJOVY0sDf5n2l3GMB4/wutNuLxI
lJ2bvoa8pO57pVumZnM2G6Zsy8IeEa0f+jDWWidBFtCx8towYUbuNBkLuvUEt63f
XXbbseP/Xnm7Xs7PrsxWz77p2VFDVXjF58xRwI5Y5tnF/yyKitviHxDnAoGAETHO
n1LsBkwX+rkT0dW31Rdlurr78fqjJPzJUJCDp/L8roaxzA/SFkOI84oIPLEw9Yls
GD6x5WzxLQXIxeiFtenTaPyJKKUGt50CQf/dht5WgYwrX/DYxyfAEbDQ/TVW9wS2
dRzMMnhC6ueSnmkncfiUqK5An+fHzCRxcPgABTUCgYB47A+aoN9pua5n4ud0bahq
N2XEZZnxvK9TJCmh/iNGklkWoLo0kdSALaGf5LQivQAgU1YY2H2SIP6FU9Hl1WKo
ujxpfJh6yIcyX4q+BnFoA2v50bP/Imacis2Lot0HQYolvmQDfMoI+gLLacS6buBb
Hoa60FxJX9s++jY/K5hQ/w==
—–END PRIVATE KEY—–

Converting from PEM to PKCS7 and viceversa

#Certificate and CA in one only pk7 certificate.
[root@nikto CA]# openssl crl2pkcs7 -nocrl -certfile client.sysandnetsecurity.com.cer -out client.sysandnetsecurity.com.p7b -certfile ca.cer
[root@nikto CA]# openssl pkcs7 -print_certs -in client.sysandnetsecurity.com.p7b
subject=/C=IT/ST=IT/L=Milan/O=Client/OU=Client/CN=Client/emailAddress=s@client.com
issuer=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
—–BEGIN CERTIFICATE—–
MIIDaDCCAlACCQDHcxQr9LfRpjANBgkqhkiG9w0BAQUFADByMQswCQYDVQQGEwJJ
VDEOMAwGA1UECAwFTWlsYW4xDjAMBgNVBAcMBU1pbGFuMQswCQYDVQQKDAJDQTEL
MAkGA1UECwwCQ0ExDzANBgNVBAMMBmNhLmNvbTEYMBYGCSqGSIb3DQEJARYJc3RA
Y2EuY29tMB4XDTE2MDMxMzIxNTAwMVoXDTE2MDQxMjIxNTAwMVowejELMAkGA1UE
BhMCSVQxCzAJBgNVBAgMAklUMQ4wDAYDVQQHDAVNaWxhbjEPMA0GA1UECgwGQ2xp
ZW50MQ8wDQYDVQQLDAZDbGllbnQxDzANBgNVBAMMBkNsaWVudDEbMBkGCSqGSIb3
DQEJARYMc0BjbGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAqz7LD0KxkXFC8nbZeBg0GiiMvSd8DBz96nXhv2R2IhfLjUrq6ADpG0iDm91p
TUAvDreB8EcHzUu7RaUEuinqrQzBWA7SrAW3ZTJGClXeeb5g68qLmqPzr+mcbD3I
tiLSplRqfVKTLuyxHyreveBxq3+cMu/NDq1t6wsnU0fbyUy54nW+akst4LHmUtG7
5gKyXHwyfko9ZdMsAIqTr22tWPKaLlB1PBTXH+3uoOVK5W/p2IXGmQJm0IsF4DGJ
gnWUkVXAeMOWTKfh8n2wxDcAAi4mnota52dR5ukveEmTLEHaH0EzHkv1/yPTwtxO
IZBtf3pBDl5Sm7wi4lobk4SSPQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAfSBW5
+pJdtm6/gDD0WmQyJ8dlrBDLhzx1oBloqxMXi7FznDWiDKBR5NP8PC2RNCAQ2E6e
ySdlrP2ys9eqWpT4FL3tcYUymALPwk3zV7LCDb9eyWMDjw/jMQwXgPgOPimDb3yJ
lSK1YsEYcernhlFZQRznhF9xd/xdDrMWAZruG/pWxB1BxoBBY/vtL4gptrWafjA8
wuMFmjDwtYr4JjFu6iRwty30gW6gC2kqp8Urus4uO82ip4oASc+6JnhojojoT+/X
qYXWm3bfajoNNVD3sogasjr9A/pLw2LlAIhEIRzbirVpe7Ej8k4pp7TxS2hZDh5b
N9XxsuEKgdXyu1Mo
—–END CERTIFICATE—–

subject=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
issuer=/C=IT/ST=Milan/L=Milan/O=CA/OU=CA/CN=ca.com/emailAddress=st@ca.com
—–BEGIN CERTIFICATE—–
MIIDtzCCAp+gAwIBAgIJAKJihofXreHhMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVNaWxhbjEOMAwGA1UEBwwFTWlsYW4xCzAJBgNVBAoM
AkNBMQswCQYDVQQLDAJDQTEPMA0GA1UEAwwGY2EuY29tMRgwFgYJKoZIhvcNAQkB
FglzdEBjYS5jb20wHhcNMTYwMzA5MTcyNDU4WhcNMTcwMzA5MTcyNDU4WjByMQsw
CQYDVQQGEwJJVDEOMAwGA1UECAwFTWlsYW4xDjAMBgNVBAcMBU1pbGFuMQswCQYD
VQQKDAJDQTELMAkGA1UECwwCQ0ExDzANBgNVBAMMBmNhLmNvbTEYMBYGCSqGSIb3
DQEJARYJc3RAY2EuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
1rA2xlHUhPoV5T89bTD0y/3r1lKf6nTY6zoQhwLYSWWDxX48TV84p1tDZ5sYHImh
ATk0lFUIpTCoGMxusn2KQNVTormLs4uwRJgVW1gMGzwAQU38CDlI2peMef/PQIrA
svXT2zmIpC3wgxO0ln+KSjNsvAdMqCtZzV/mKXrnuwGkD3d8e0YUF02Kj1H//Xie
btlqo3ybau5jWoXar/IjdK5/RhAUYJGMK9NePUov9hYx0ePsN1kUXg3mLuZi1R3y
L/vmWJOE3AlmptdNt1jr43y5Nn3kKyZzR8wZqGhp0kLjcQQFp6kYytk9bs8KSInP
HHfzKMIEbMkqV5zTOf9+YwIDAQABo1AwTjAdBgNVHQ4EFgQUMmppCl/yLS2KWOfZ
oHiHUG5JXDwwHwYDVR0jBBgwFoAUMmppCl/yLS2KWOfZoHiHUG5JXDwwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAz7HDPI/QRI2nzo7ZUwHiBHHSoYq9
+d71fqFlK6XKEfymHUJYrPwtDvLpifqOWaNjiP6KNSoWbfUUjS2GAWds5bhldMF5
y0bFtiEe+tTWi8APFXADDB5yaYzSk56SZHmNnpSAGMtXOG6NnvYMO3mHSx3egPRv
GqRWlBU5Wj87s3fMqn7JMy43Om/2w9zS32ET4S8deH7y8PnZN6ONYzWYxIjkVV4T
Hs7MPkuhvZqXHkLHXpguR1Xx2dBaCpeSUNcGwGPKou2bp4SW9QnmVBkjK939I0bP
I0jFrhPIBFVDBfevxDZRJo4hxOcD1Q7Y1Ejm+SaI06OQ+xsLYk6znzYlZw==

—–END CERTIFICATE—–

[root@nikto CA]#

That’s enough. I hope that you have now more  ssl certificates.understanding.

 

LEAVE A COMMENT