Generate Public/Private Key Pairs

Become a Certificate Authority (CA)

1
2
3
4
5
$ cp /usr/lib/ssl/openssl.cnf ./
$ mkdir -p ./demoCA/certs ./demoCA/crl ./demoCA/newcerts
$ touch ./demoCA/index.txt
$ echo "1000" > ./demoCA/serial
$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

Open openssl.cnf and change “policy = policy_match” to “policy = policy_anything”

Create a Certificate

1
2
3
4
5
6
7
8
$ # Generate public/private key pair
$ openssl genrsa -aes128 -out server.key 1024
$ # show content
$ openssl rsa -in server.key -text
$ # Generate a Certificate Signing Request (CSR)
$ openssl req -new -key server.key -out server.csr -config openssl.cnf
$ # Generating Certificates
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Create Digital Signature

1
2
3
4
5
6
7
8
$ # prepare the file to sign
$ echo "Hello, world!" > in.txt
$ # extract public key
$ openssl rsa -in server.key -pubout > server.pub
$ # generate signature with private key
$ openssl dgst -sha256 -sign server.key -out in.txt.sha256 in.txt
$ # verify the signature with public key
$ openssl dgst -sha256 -verify server.pub -signature in.txt.sha256 in.txt

References

Crypto Lab – Public-Key Cryptography and PKI