Christophe VG

Christophe VG

Software Architect
#howcanihelp

SSL Notes

6 minute read

OpenSSL is a wonderful technology and the openssl toolset is truly a Swiss Armyknife. But I don’t use it on a daily basis and therefore I tend to forget how to use it. These notes show the common actions I need to perform with it, making it easy to simply copy and paste and move on with the more fun parts in life.

Generate a private key

$ openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
....+++
......................+++
e is 65537 (0x10001)

Generate a CSR

$ openssl req -new -key privkey.pem -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Antwerp
Locality Name (eg, city) []:Baal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:2Know BVBA
Organizational Unit Name (eg, section) []:Operations
Common Name (eg, YOUR name) []:Christophe VG
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Display CSR content

$ openssl req -text -noout -in cert.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG/emailAddress=
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ae:88:b4:44:44:4e:fe:48:84:65:a2:5d:0f:20:
										...
                    60:6c:9c:6e:ca:81:12:b0:15:97:f3:4a:5b:7b:3a:
                    7d:e3
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        22:f6:ca:35:fb:0c:ff:a5:7d:a0:5a:93:77:49:00:c6:b1:fc:
				...
        bd:b5:fb:71:77:3c:ef:6b:aa:dc:65:c8:5b:a5:12:a3:b9:19:
        ff:1d:bd:ae

(Self-)sign a certificate

$ openssl x509 -req -days 365 -in cert.csr -signkey privkey.pem -out server.crt
Signature ok
subject=/C=BE/ST=Antwerp/L=Baal/O=2Know BVBA/OU=Operations/CN=Christophe VG
Getting Private key

Display certificate content

$ openssl x509 -text -in server.cert
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f0:f2:34:32:6f:cd:93:79
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG
        Validity
            Not Before: Mar 22 08:53:35 2011 GMT
            Not After : Mar 21 08:53:35 2012 GMT
        Subject: C=BE, ST=Antwerp, L=Baal, O=2Know BVBA, OU=Operations, CN=Christophe VG
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:bb:fa:bf:d4:fd:77:87:e1:b8:e0:ad:2c:48:a0:
                    25:80:c3:bc:c1:9f:84:57:af:34:3b:53:ba:fe:d5:
										...
                    82:0f:90:57:1c:0c:ca:dc:ea:93:39:b3:03:43:d4:
                    b2:c5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        56:9b:39:77:8b:94:0d:e7:7a:70:a8:c9:7c:a9:f3:83:83:b4:
        d4:51:8b:37:e0:a2:55:74:37:6a:fe:d9:ec:8d:84:06:83:fe:
				...
        41:ba:39:cd:cc:4c:39:be:bf:65:61:73:23:dc:26:8f:d4:1f:
        d5:0d:e0:30
-----BEGIN CERTIFICATE-----
MIIDYjCCAkoCCQDw8jQyb82TeTANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJC
RTEQMA4GA1UECBMHQW50d2VycDEQMA4GA1UEBxMHU2NocmllazETMBEGA1UEChMK
...
QitnBMnEHpoIynoQOcmu0MQjED3kEfl/CfvTTUZmylFBujnNzEw5vr9lYXMj3CaP
1B/VDeAw
-----END CERTIFICATE-----

Verify a certificate

$ openssl verify server.crt 
server.crt: /C=BE/ST=Antwerp/L=Baal/O=2Know BVBA/OU=Operations/CN=Christophe VG
error 18 at 0 depth lookup:self signed certificate
OK

Convert a PEM private key to PKCS#8

$ openssl pkcs8 -in privkey.pem -topk8 -v2 des3 -nocrypt -outform DER -out privkey.p8c

$ cat privkey.p8c
??0?????X?|?T?f
 Z?4?wly???y????&
?x???}??=
  2~?]G??{Ư???1(o?)m??w?I????CM@?????E?*????@yP?@z b?2??"|U`g????v?WB*?
...

Base64 encode a file (e.g. a PKCS#8 private key)

$ openssl enc -base64 -in privkey.p8c -out privkey.p8c.base64

$ cat privkey.p8c.base64 
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCh/lg/fJVUk2YQ
Bg3uHwta3jSnd2x5orOjea+GxMkmCgX2eMJN35QUtcXUfb2fPQwyfpZdR7jpgXvG
...

Encrypt/decrypt a (large) file

# Generate some data

$ echo "This is a secret" > info.txt
 
$ zip plainfile info.txt 
  adding: info.txt (stored 0%)
 
$ ls -l
total 16
-rw-r--r--  1 xtof  staff   17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff  183 Jan 22 12:30 plainfile.zip
 
# One Time Setup of Key Infrastructure
# 1. generate private key
# 2. generate certificate for private key

$ openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus
......................................................................................++
..........................................................................................++
e is 65537 (0x10001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
 
$ openssl req -x509 -new -days 100000 -key private_key.pem -out certificate.pem
Enter pass phrase for private_key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
 
# Encryption using certificate

$ openssl smime -encrypt -binary -aes-256-cbc -in plainfile.zip -out encrypted.zip.enc -outform DER certificate.pem
 
$ ls -l
total 72
-rw-r--r--  1 xtof  staff  3321 Jan 22 12:32 certificate.pem
-rw-r--r--  1 xtof  staff  1452 Jan 22 12:34 encrypted.zip.enc
-rw-r--r--  1 xtof  staff    17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff   183 Jan 22 12:30 plainfile.zip
-rw-r--r--  1 xtof  staff  7011 Jan 22 12:30 private.pem
-rw-r--r--  1 xtof  staff  7078 Jan 22 12:32 private_key.pem
-rw-r--r--  1 xtof  staff  1612 Jan 22 12:30 public.pem
 
# Decryption using private key
 
$ openssl smime -decrypt -binary -in encrypted.zip.enc -inform DER -out decrypted.zip -inkey private_key.pem
Enter pass phrase for private_key.pem:
 
$ ls -l
total 80
-rw-r--r--  1 xtof  staff  3321 Jan 22 12:32 certificate.pem
-rw-r--r--  1 xtof  staff   183 Jan 22 12:35 decrypted.zip
-rw-r--r--  1 xtof  staff  1452 Jan 22 12:34 encrypted.zip.enc
-rw-r--r--  1 xtof  staff    17 Jan 22 12:29 info.txt
-rw-r--r--  1 xtof  staff   183 Jan 22 12:30 plainfile.zip
-rw-r--r--  1 xtof  staff  7011 Jan 22 12:30 private.pem
-rw-r--r--  1 xtof  staff  7078 Jan 22 12:32 private_key.pem
-rw-r--r--  1 xtof  staff  1612 Jan 22 12:30 public.pem
 
$ unzip decrypted.zip 
Archive:  decrypted.zip
replace info.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: r
new name: decrypted_info.txt
 extracting: decrypted_info.txt      
 
$ cat decrypted_info.txt 
This is a secret

Makefile

The following Makefile implements all steps to generate data, setup the key infrastructure and perform the encryption/decryption

all: data.decrypted.txt
	@echo "### content of $<"
	cat $<

data.txt:
	@echo "### generating $@"
	date > $@
	echo "big secret" >> $@
	@echo "generated data:"
	cat $@

data.zip: data.txt
	@echo "### zipping $<"
	zip data $<

private.pem:
	@echo "### creating private key: $@"
	openssl genrsa -aes256 -out $@ 8912

certificate.pem: private.pem
	@echo "### creating certificate: $@ from $<"
	openssl req -x509 -new -days 100000 -key $< -out $@

%.zip.enc: %.zip certificate.pem
	@echo "encrypting $< into $@"
	openssl smime -encrypt -binary -aes-256-cbc -in $< -out $@ -outform DER $(word 2,$^)

%.decrypted.zip: %.zip.enc private.pem
	@echo "### decrypting $< into $@"
	openssl smime -decrypt -binary -in $< -inform DER -out $@ -inkey $(word 2,$^)

%.decrypted.txt: %.decrypted.zip
	@echo "### unzipping $*.txt into $@"
	unzip -p $< $*.txt > $@

clean:
	@rm *.*

Running it and providing a pass phrase three time shows the entire process:

$ make
### generating data.txt
date > data.txt
echo "big secret" >> data.txt
generated data:
cat data.txt
Sat Jan 23 15:22:13 CET 2021
big secret
### zipping data.txt
zip data data.txt
  adding: data.txt (stored 0%)
### creating private key: private.pem
openssl genrsa -aes256 -out private.pem 8912
Generating RSA private key, 8912 bit long modulus
...................................................................................................................................................................................................++
................++
e is 65537 (0x10001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
### creating certificate: certificate.pem from private.pem
openssl req -x509 -new -days 100000 -key private.pem -out certificate.pem
Enter pass phrase for private.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
encrypting data.zip into data.zip.enc
openssl smime -encrypt -binary -aes-256-cbc -in data.zip -out data.zip.enc -outform DER certificate.pem
### decrypting data.zip.enc into data.decrypted.zip
openssl smime -decrypt -binary -in data.zip.enc -inform DER -out data.decrypted.zip -inkey private.pem
Enter pass phrase for private.pem:
### unzipping data.txt into data.decrypted.txt
unzip -p data.decrypted.zip data.txt > data.decrypted.txt
### content of decrypted data.decrypted.txt
cat data.decrypted.txt
Sat Jan 23 15:22:13 CET 2021
big secret
rm data.decrypted.zip data.zip.enc

References

You May Also Enjoy

Super Mario Question Mark Block

2 minute read

When my godchild L was about to do his confirmation (for my Dutch-inclined friends: “zijn vormsel” - I had to look it up also 😇) I had to come up with a way ...

Resin in Wood Coasters

4 minute read

I’ve been wanting to play with combining wood and resin for some time, yet never found the time to do so, until Veronique’s birthday came up and what do you ...

Tomaten Quiche

1 minute read

Quiches zijn een basis-recept, met massa’s variaties. Deze werd weer eens enorm goed onthaald @home.