• Home
Name Date Size #Lines LOC

..--

Pkcs7Sign.pyD03-May-202411.1 KiB283163

Readme.mdD03-May-20243.4 KiB8550

TestCert.pemD03-May-20243 KiB5857

TestCert.pub.pemD03-May-20241.1 KiB2019

TestRoot.cerD03-May-2024756

TestRoot.pemD03-May-20243 KiB5756

TestRoot.pub.pemD03-May-20241.1 KiB1918

TestSub.pemD03-May-20243 KiB5857

TestSub.pub.pemD03-May-20241.1 KiB2019

Readme.md

1# Step by step to generate sample self-signed X.509 certificate chain and sign data with PKCS7 structure
2
3This readme demonstrates how to generate 3-layer X.509 certificate chain (RootCA -> IntermediateCA -> SigningCert) with OpenSSL commands, and user MUST set a UNIQUE Subject Name ("Common Name") on these three different certificates.
4
5## How to generate a self-signed X.509 certificate chain via OPENSSL
6* Set OPENSSL environment.
7
8NOTE: Below steps are required for Windows. Linux may already have the OPENSSL environment correctly.
9
10    set OPENSSL_HOME=c:\home\openssl\openssl-[version]
11    set OPENSSL_CONF=%OPENSSL_HOME%\apps\openssl.cnf
12
13When a user uses OpenSSL (req or ca command) to generate the certificates, OpenSSL will use the openssl.cnf file as the configuration data (can use “-config path/to/openssl.cnf” to describe the specific config file).
14
15The user need check the openssl.cnf file, to find your CA path setting, e.g. check if the path exists in [ CA_default ] section.
16
17    [ CA_default ]
18        dir = ./demoCA              # Where everything is kept
19
20You may need the following steps for initialization:
21
22    rd ./demoCA /S/Q
23    mkdir ./demoCA
24    echo "" > ./demoCA/index.txt
25    echo 01 > ./demoCA/serial
26    mkdir ./demoCA/newcerts
27
28* Generate the certificate chain:
29
30NOTE: User MUST set a UNIQUE "Common Name" on the different certificate
31
321) Generate the Root Pair:
33
34Generate a root key:
35
36    openssl genrsa -aes256 -out TestRoot.key 2048
37
38Generate a self-signed root certificate:
39
40    openssl req -new -x509 -days 3650 -key TestRoot.key -out TestRoot.crt
41    openssl x509 -in TestRoot.crt -out TestRoot.cer -outform DER
42    openssl x509 -inform DER -in TestRoot.cer -outform PEM -out TestRoot.pub.pem
43
442) Generate the Intermediate Pair:
45
46Generate the intermediate key:
47
48    openssl genrsa -aes256 -out TestSub.key 2048
49
50Generate the intermediate certificate:
51
52    openssl req -new -days 3650 -key TestSub.key -out TestSub.csr
53    openssl ca -extensions v3_ca -in TestSub.csr -days 3650 -out TestSub.crt -cert TestRoot.crt -keyfile TestRoot.key
54    openssl x509 -in TestSub.crt -out TestSub.cer -outform DER
55    openssl x509 -inform DER -in TestSub.cer -outform PEM -out TestSub.pub.pem
56
573) Generate User Key Pair for Data Signing:
58
59Generate User key:
60
61    openssl genrsa -aes256 -out TestCert.key 2048
62
63Generate User certificate:
64
65    openssl req -new -days 3650 -key TestCert.key -out TestCert.csr
66    openssl ca -in TestCert.csr -days 3650 -out TestCert.crt -cert TestSub.crt -keyfile TestSub.key`
67    openssl x509 -in TestCert.crt -out TestCert.cer -outform DER
68    openssl x509 -inform DER -in TestCert.cer -outform PEM -out TestCert.pub.pem
69
70Convert Key and Certificate for signing. Password is removed with -nodes flag for convenience in this sample.
71
72    openssl pkcs12 -export -out TestCert.pfx -inkey TestCert.key -in TestCert.crt
73    openssl pkcs12 -in TestCert.pfx -nodes -out TestCert.pem
74
75* Verify Data Signing & Verification with new X.509 Certificate Chain
76
771) Sign a Binary File to generate a detached PKCS7 signature:
78
79    openssl smime -sign -binary -signer TestCert.pem -outform DER -md sha256 -certfile TestSub.pub.pem -out test.bin.p7 -in test.bin
80
812) Verify PKCS7 Signature of a Binary File:
82
83    openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile TestRoot.pub.pem -out test.org.bin
84
85