Virginia Tech Certification Authority

Technical PKI FAQ

General Technical Information

Certificate Signing Request (CSR)Creation Information

Server Information

How to's

Mac


What is OpenSSL?

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.


Can I setup a simple client and server to test my new certificates?

Yes, OpenSSL provides simple server and client services to test the use of SSL using certificates. S-server provides basic server facilities that can be used by s-client to connect (via TCP/IP). Once the server and client are connected and have successfully opened a socket, both the client and server can pass characters to each other forming a primitive talk session. View http://www.openssl.org/docs/apps/openssl.html for the OpenSSL toolkit documentation.


What is PKCS #12?

PKCS #12 or Public Key Cryptography Standard #12 is a standard for securely storing private keys and certificates. It is often used by browsers including Mozilla Firefox and Microsoft Internet Explorer for transporting keys when using import and export functions. View http://www.rsasecurity.com/rsalabs/node.asp?id=2138 for PKCS #12 documentation.


How are certificates stored?

Certificates are kept in special repositories called keystores and can be distributed in several different formats:
1. X509 format (.cer and .crt file-extension for Windows) certificate is widely supported. This file represents the individual certificate.
2. Cryptographic Message Syntax -PKCS #7 Format (.p7b file extension for Windows) This format is used for exporting complete chain.
3. Personal Information Exchange syntax -PKCS #12 Format (.pfx and .p12 file extensions for Windows). This format is used for exporting the public/private key pair. Very helpful in importing key pairs to the browsers.
4. Certificate Signing Request (CSR) Syntax -PKCS #10 Format. This format is used for generating signing requests to trusted certificate signing authorities.

Top

 

How can I display the content of a certificate using OpenSSL?

$openssl x509 -in cert.pem -noout -text

Top

 

How can I display the certificate MD5 fingerprint using OpenSSL?

$openssl x509 -in cert.pem -noout -fingerprint

Top

 

How can I convert a certificate from PEM to DER format using OpenSSL?

$openssl x509 -in cert.pem - inform PEM -out cert.der -outform DER

Top

 

How can I tell PEM format from DER?

You can start by editing the file, If the file starts with "------begin ------" and the file contains data that looks like this:

M+WetKOXAYamLPgkm6ubt3/90JPVh8BPR92d+a9yY54j+wi2VaX768KKzXfQp+MSG
Yna1NtDWloAkzDuIbkaPDw6CMl0lD5jRsHDNRh5qvhU+G6okGrQIV8291E3rbDVM
mEvchRSK8TUBH0o39ZFtnrdzqs02jsE/ke9Dc78w67W3ffCIFWMr50sKpRr9nyiB
XSkEuSWmvvo2vMX4yvlBWAeMTSTEKDOWkiJ6g4M9oE57C7Rp2l0A+XC1I29E4mjr
KBv3G9LFe18fgU77+PYH85qAbDgTCknc5JhofacbkSFsvPn4p41nmvoKbtIKBBxH
UVMFfq342wkq9Yo/g+4tIWsrA23om5xVhXmMtnS+ACl0YUDcotkYJMnb+dr MWO+am
of/NAKjpDCm37UpJrGd6LdQGeN7+l0HNpkVQ0JYcJCShpO2y5+hNCGY5CJQm7g
LNLzdpLqryuMHG3IOWxiTc/BFv73hr5aGTkM2IQcDqh5YBzeVuycgRBM3yVG05Vk
T2x65/bkffSGs0MOb19vhLscxZjVMuo4R+mMCkTuiEx0a63o202HpQvHIkXuvms2
L9W9yqMrVOzA3aZ5N/diA7ziNXbYL3EZauWCVrigdkmE7XMxO+2Y/OGXDnif895==

"-----end ------"

then it is a PEM format. If the file looks like a binary file where there is nothing understandable, then it is DER

Top

 

Can I use the Internet Information Services (IIS) Certificate Wizard to make a CSR for the VTCA?

Yes, however, you may want to backup or export your current certificate before removing it. Your certificate must have at least a 2048 key.

Follow the directions at https://support.globalsign.com/customer/portal/articles/1227403-generate-csr-or-renew-certificate---internet-information-services-iis-7.

Top

 

How can I generate RSA key pair and make a PKCS #10 request using OpenSSL?


  1. Generate the RSA key pair and certificate signing request (CSR) as follows (use the default file names key.pem and req.pem or substitute your own file names):
    $openssl req -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

    If you wish to encrypt your private key then do not include the -nodes option.

  2. Detailed directions are at OpenSSL + Related

Top

 

How can I package my certificate and its corresponding private key into a PKCS #12 file?

You will receive your certificate from IMS in DER format. You must convert it to PEM format.
$openssl x509 -inform DER -in download.cer -outform PEM -out download.pem

Then you can package your certificate to a PKCS #12 file using the below OpenSSL command:

openssl pkcs12 -export -inkey key.pem -in download.pem -out myserver.p12 -name "my test cert"

Where:
download.cer is: The certificate you received from IMS
key.pem: The key you created when you made your CSR request
myserver.p12:is the output file where the PKCS #12 file will be stored
my test cert: just a friendly name that can be anything you like

Top

 

How can I configure TLS/SSL for OpenLDAP server?

Referance http://www.openldap.org/ for the latest information on configuring TLS/SSL for OpenLDAP servers.

Top

 

How can I use certificates with servers like Apache and Tomcat?

Referance: https://support.globalsign.com/#category_SSL_Installation for the latest information on configuring Apache and Tomcat servers

Top

 

How do I create and install VT SSL Server cert for Windows 2008 Server using IIS Certificate Wizard?

Follow the directions provided at Install Virginia Tech Server Certificate using IIS Certificate Wizard.

Top

How can I find my certificate by certificate serial number on the EJBCA website?

The serial number given for a cert in Mac keychain, doesn't work correctly for search for certificate on the EJBCA website, use the serial number that is called "other name" instead.

Top

References

Top

 

 

Last updated on March 30, 2015