Self-signed RSA cert generation and signing using OpenSSLIvan Molina Rebolledo
- 1 min read
(The following notes were made as a self-guide for a U. class (Network Security))
First step: Obtaining our PEM keys. This can be done as my previous post, where the generated keys are already in PEM format.
A PEM encoded key looks like this:
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
The content between those two markers should be a base64 encoded key.
So this step is easy.
If you don't have a PEM key, use the OpenSSL
rsa to convert an already exisitng non-PEM key:
openssl rsa -in oldkey -outform pem -out newkey.pem
Generating a certificate
This can be done in one step:
openssl req -x509 -new -key PrivKey.pem -out Cert.pem -sha256
We are using
req to generate certificates in the PKCS#10 format. The
-x509 parameter is specifying that we want a self-signed certificate.
-new generates the certificate. The other three parameters are self-explanatory; we are using sha256 as our hash algorithm.
Signing a file
For this we are going to use
openssl pkeyutl -sign -in File -inkey Priv.pem -out SignedFile
Verifying a file
openssl pkeyutl -verify -in File -sigfile SignedFile -certin -inkey Cert.pem
In this case we use
-verify to verify a File given a signature.
-sigfile is the signature generated in the previous step.
-certin specifies that we are using a certificate to verify out signature and file.
And that's all.
Need more help? Fear no more:
(Just a quick note about the manpages: in macOS, all the subcommand are included with the openssl manpage, but that's not the case for other unixes. In Ubuntu, you have to request the manpage for a specific subcommand like this:
man enc, for