Name | Date | Size | #Lines | LOC | ||
---|---|---|---|---|---|---|
.. | - | - | ||||
Pkcs7Sign.py | D | 03-May-2024 | 11.1 KiB | 283 | 163 | |
Readme.md | D | 03-May-2024 | 3.4 KiB | 85 | 50 | |
TestCert.pem | D | 03-May-2024 | 3 KiB | 58 | 57 | |
TestCert.pub.pem | D | 03-May-2024 | 1.1 KiB | 20 | 19 | |
TestRoot.cer | D | 03-May-2024 | 756 | |||
TestRoot.pem | D | 03-May-2024 | 3 KiB | 57 | 56 | |
TestRoot.pub.pem | D | 03-May-2024 | 1.1 KiB | 19 | 18 | |
TestSub.pem | D | 03-May-2024 | 3 KiB | 58 | 57 | |
TestSub.pub.pem | D | 03-May-2024 | 1.1 KiB | 20 | 19 |
Readme.md
1# Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure 2 3This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates. 4 5## How to generate a self-signed X.509 certificate chain via OPENSSL 6* Set OPENSSL environment. 7 8NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly. 9 10 set OPENSSL_HOME=c:\home\openssl\openssl-[version] 11 set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf 12 13When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file). 14 15The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section. 16 17 [ CA_default ] 18 dir = ./demoCA # Where everything is kept 19 20You may need the following steps for initialization: 21 22 rd ./demoCA /S/Q 23 mkdir ./demoCA 24 echo "" > ./demoCA/index.txt 25 echo 01 > ./demoCA/serial 26 mkdir ./demoCA/newcerts 27 28* Generate the certificate chain: 29 30NOTE: User MUST set a UNIQUE "Common Name" on the different certificate 31 321) Generate the Root Pair: 33 34Generate a root key: 35 36 openssl genrsa -aes256 -out TestRoot.key 2048 37 38Generate a self-signed root certificate: 39 40 openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt 41 openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER 42 openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem 43 442) Generate the Intermediate Pair: 45 46Generate the intermediate key: 47 48 openssl genrsa -aes256 -out TestSub.key 2048 49 50Generate the intermediate certificate: 51 52 openssl req -new -days 3650 -key TestSub.key -out TestSub.csr 53 openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key 54 openssl x509 -in TestSub.crt -out TestSub.cer -outform DER 55 openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem 56 573) Generate User Key Pair for Data Signing: 58 59Generate User key: 60 61 openssl genrsa -aes256 -out TestCert.key 2048 62 63Generate User certificate: 64 65 openssl req -new -days 3650 -key TestCert.key -out TestCert.csr 66 openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key` 67 openssl x509 -in TestCert.crt -out TestCert.cer -outform DER 68 openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem 69 70Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample. 71 72 openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt 73 openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem 74 75* Verify Data Signing & Verification with new X.509 Certificate Chain 76 771) Sign a Binary File to generate a detached PKCS7 signature: 78 79 openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin 80 812) Verify PKCS7 Signature of a Binary File: 82 83 openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin 84 85