Technical PKI FAQ
General Technical Information
- What is OpenSSL?
- Can I setup a simple client and server to test my new certificates?
- What is PKCS #12?
- How are certificates stored?
- How can I display the content of a certificate using OpenSSL?
- How can I display the certificate MD5 fingerprint using OpenSSL?
- How can I convert a certificate from PEM to DER format using OpenSSL?
- How can I tell PEM format from DER?
- How can I test SSL/TLS certificates that are revoked or expired?
Certificate Signing Request (CSR)Creation Information
- Can I use Internet Information Services (IIS) Certificate Wizard to make a CSR for the VTCA?
- How can I generate RSA key pair and make a PKCS #10 request using OpenSSL?
- How can I package my certificate and its corresponding private key into a PKCS #12 file?
- How can I configure TLS/SSL for OpenLDAP server?
- How can I use certificates with servers like Apache, and Tomcat?
- How do I create and install VT Global Web Server cert for Windows 2008 Server using IIS Certificate Wizard?
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
Yes, OpenSSL provides simple server and client services to test the use of SSL using certificates. S-server provides basic server facilities that can be used by s-client to connect (via TCP/IP). Once the server and client are connected and have successfully opened a socket, both the client and server can pass characters to each other forming a primitive talk session. View http://www.openssl.org/docs/apps/openssl.html for the OpenSSL toolkit documentation.
PKCS #12 or Public Key Cryptography Standard #12 is a standard for securely storing private keys and certificates. It is often used by browsers including Mozilla Firefox and Microsoft Internet Explorer for transporting keys when using import and export functions. View http://www.rsasecurity.com/rsalabs/node.asp?id=2138 for PKCS #12 documentation.
Certificates are kept in special repositories called keystores and can be distributed in several
1. X509 format (.cer and .crt file-extension for Windows) certificate is widely supported. This file represents the individual certificate.
2. Cryptographic Message Syntax -PKCS #7 Format (.p7b file extension for Windows) This format is used for exporting complete chain.
3. Personal Information Exchange syntax -PKCS #12 Format (.pfx and .p12 file extensions for Windows). This format is used for exporting the public/private key pair. Very helpful in importing key pairs to the browsers.
4. Certificate Signing Request (CSR) Syntax -PKCS #10 Format. This format is used for generating signing requests to trusted certificate signing authorities.
$openssl x509 -in cert.pem -noout -text
$openssl x509 -in cert.pem -noout -fingerprint
$openssl x509 -in cert.pem
- inform PEM -out cert.der -outform DER
You can start by editing the file, If the file starts with "------begin ------" and the file contains data that looks like this:
then it is a PEM format. If the file looks like a binary file where there is nothing understandable, then it is DER
The VT Global Qualified Web Server CA hosts the following test web pages that allow you to test your software with certificates that are (i) valid, (ii) revoked, and (iii) expired.
(i) valid - https://sieswin08.cc.vt.edu:443
(ii) revoked - https://sieswin08.cc.vt.edu:8443
(iii) expired - https://sieswin08.cc.vt.edu:8080
Yes, however, you may want to backup or export your current certificate before removing it. Your certificate must have at least a 2048 key.
- Generate the RSA key pair and certificate
signing request (CSR) as follows (use the default
file names key.pem and req.pem or substitute your own file names):
$openssl req -newkey rsa:2048 -keyout key.pem -out req.pem -nodes
If you wish to encrypt your private key then do not include the -nodes option.
- Detailed directions are at OpenSSL + Related
You will receive your certificate from IMS in DER format. You must convert it to PEM format.
$openssl x509 -inform DER -in download.cer -outform PEM -out download.pem
Then you can package your certificate to a PKCS #12 file using the below OpenSSL command:
openssl pkcs12 -export -inkey key.pem -in download.pem -out myserver.p12 -name "my test cert"
download.cer is: The certificate you received from IMS
key.pem: The key you created when you made your CSR request
myserver.p12:is the output file where the PKCS #12 file will be stored
my test cert: just a friendly name that can be anything you like
Referance http://www.openldap.org/ for the latest information on configuring TLS/SSL for OpenLDAP servers.
Referance: https://support.globalsign.com/#category_SSL_Installation for the latest information on configuring Apache and Tomcat servers
How do I create and install VT SSL Server cert for Windows 2008 Server using IIS Certificate Wizard?
Follow the directions provided at Install Virginia Tech Server Certificate using IIS Certificate Wizard.
The serial number given for a cert in Mac keychain, doesn't work correctly for search for certificate on the EJBCA website, use the serial number that is called "other name" instead.
- RSA Labs FAQs for Cryptography
Last updated on September 25, 2015