In this section a set of commands for certificate management will be presented.
To show the relevant information of a certificate, the following command can be run.
root@myhost:/etc/ssl# openssl x509 -in ./mycerts/gwCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Validity
Not Before: Nov 18 19:01:04 2022 GMT
Not After : Nov 15 19:01:04 2032 GMT
Subject: C = US, ST = California, O = My Company, CN = gw.mycompany.com, emailAddress = netadmin@mycompany.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:5e:cc:be:7f:89:3e:f5:82:a0:46:b1:6e:97:ec:
5b:5b:9c:39:27:45:37:35:72:48:a1:bd:f3:b6:55:
72:7b:c5:fc:42:ee:f6:f1:95:7f:b8:fe:8d:f3:e0:
d3:5f:4f:32:a7:8f:89:22:f4:91:a9:62:8a:4d:e0:
f7:8e:00:57:84
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
EE:F7:72:C3:9B:4F:A6:A0:AC:56:C0:8C:50:D0:88:7F:AE:2B:27:21
X509v3 Authority Key Identifier:
00:32:A8:49:BC:A0:EF:26:DA:50:D0:A4:E6:1C:B0:17:58:57:F6:1F
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, ipsec Internet Key Exchange
X509v3 Subject Alternative Name:
DNS:gw.mycompany.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
81:a2:a0:25:a0:81:17:17:03:f2:68:7f:7c:de:6a:c0:2b:77:
5e:44:ab:46:7d:39:49:74:95:b2:ed:9b:e8:50:cc:8b:a4:85:
...
4e:2a:09:05:31:fb:03:c8:f6:46:50:46:95:56:fc:28:b2:a5:
f7:87:39:b8:6d:82:ed:41
The following command prints the hash of a certificate.
root@myhost:~# cd /etc/ssl/mycerts
root@myhost:/etc/ssl/mycerts# openssl x509 -hash -in gwCert.pem -noout
cf31e339
It could be useful to generate an encrypted version of the private key. The following command carries out this task. Notice that a triple DES cypher is used to assure portability, mainly towards Microsoft Windows systems.
root@myhost:~# cd /etc/ssl/private/
root@myhost:/etc/ssl/private# openssl rsa -des3 -in HenryKey.pem -out HenryKey.encrypted.pem
writing RSA key
Enter pass phrase: A_PASSWORD
Verifying - Enter pass phrase: A_PASSWORD
The secret A_PASSWORD must be confidentially sent to the user Henry Smith, togeter with the private and public keys.
To remove the passphrase from an encrypted private key, i.e. to generate the decrypted version of the private key, simply open the key and save the output to a new file.
root@myhost:~# cd /etc/ssl/private/
root@myhost:/etc/ssl/private# openssl rsa -in HenryKey.encrypted.pem -out HenryKey.noenc.pem
Enter pass phrase for HenryKey.encrypted.pem: TYPE_YOUR_SECRET
writing RSA key
Some softwares need a certificate in DER format. Run this command to carry out the conversion.
root@myhost:/etc/ssl# openssl x509 -in ./mycerts/gwCert.pem -inform PEM -out ./mycerts/gwCert.der -outform DER
The PKCS12 format allows to bundle a private key with its X.509 certificate.
root@myhost:~# cd /etc/ssl/private
root@myhost:/etc/ssl/private# openssl pkcs12 -export -inkey HenryKey.pem -in ../mycerts/HenryCert.pem -name "Henry Smith" -certfile ../cacerts/cacert.pem -out HenryCert.p12
Enter Export Password: A_PASSWORD
Verifying - Enter Export Password: A_PASSWORD
A CA can invalidate a certificate by revoking its validity. Once revoked, the certificate is no longer usable for authentication, provided that the CA continously updates and distributes a Certificate Revocation List (CRL).
Suppose that there is the suspect that the private key of the user Henry Smith was compromised. The CA can revoke his certificate by running the following command.
root@myhost:~# cd /etc/ssl
root@myhost:/etc/ssl# openssl ca -revoke ./mycerts/HenryCert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem: TYPE_YOUR_SECRET
Revoking Certificate 02.
Data Base Updated
Looking at the database index.txt, in the first column the flag of certificate number 02 was set to R, meaning that the certificate is revoked. Moreover, the third column reports the revocation date as obtained by the command date '+%y%m%d%k%M%SZ'.
root@myhost:/etc/ssl# cat index.txt
V 321114143526Z 01 unknown /C=US/ST=California/O=My Company/CN=www.mycompany.com/emailAddress=netadmin@mycompany.com
R 251116161418Z 221118204418Z 02 unknown /C=US/ST=California/O=My Company/CN=Henry Smith/emailAddress=henry@mycompany.com
V 321115190104Z 03 unknown /C=US/ST=California/O=My Company/CN=gw.mycompany.com/emailAddress=netadmin@mycompany.com
To distribute the information about the revoked certificates, a CRL must be generated and made public in some way (e.g. through a web server). To generate the CRL, the following command is used.
root@myhost:/etc/ssl# openssl ca -gencrl -crldays 90 -out ./crl/crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem: TYPE_YOUR_SECRET
root@myhost:/etc/ssl# cat ./crl/crl.pem
-----BEGIN X509 CRL-----
MIIDGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZMxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQK
...
UxontUkZ5vFwS7EEFyZPyvJq5Ebp5GGkryV8aao8zoHUPRVK0vBECMw0T5mHAKDx
OtoURsbqXrRcKBZ4jV0B/Cxdjr46WvL3GTYb/q4=
-----END X509 CRL-----
Once the certificate has been revoked, a new one with the same common name can be reissued, starting form the same CSR.
For re-issuing an expired certificate or a revoked one, it is necessary to have its original CSR. If, for some reasons, the original file was lost, it can be re-created provided that both the certificate and the private key files are available.
Suppose that we need to re-create the CSR of the Henry Smith's certificate. The command to run is the following.
root@myhost:~# cd /etc/ssl/reqs
root@myhost:/etc/ssl/reqs# openssl x509 -x509toreq -in ../mycerts/HenryCert.pem -signkey ../private/HenryKey.pem -out HenryReq.extracted.pem
To renew an expired client (server or user) certificate, it must be first revoked. Then, the CA can generate a new certificate with updated expiration date (remember to update the section [ usr_cert ] in the file openssl.cnf before running the commands).
root@myhost:~# cd /etc/ssl
root@myhost:/etc/ssl# openssl ca -revoke ./mycerts/HenryCert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem: TYPE_YOUR_SECRET
Revoking Certificate 02.
Data Base Updated
root@myhost:/etc/ssl# mv ./mycerts/HenryCert.pem ./mycerts/HenryCert.pem.revoked
root@myhost:/etc/ssl# openssl ca -in ./reqs/HenryReq.pem -days 1095 -out ./mycerts/HenryCert.pem -notext
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem: TYPE_YOUR_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Nov 19 09:14:23 2022 GMT
Not After : Nov 18 09:14:23 2025 GMT
Subject:
countryName = US
stateOrProvinceName = California
organizationName = My Company
commonName = Henry Smith
emailAddress = henry@mycompany.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F7:00:C9:FE:E6:0B:3D:92:96:81:4B:DB:B9:A1:FD:0C:35:A6:8B:C0
X509v3 Authority Key Identifier:
00:32:A8:49:BC:A0:EF:26:DA:50:D0:A4:E6:1C:B0:17:58:57:F6:1F
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Subject Alternative Name:
email:henry.smith@mycompany.com, email:henry@mycompany.com
Certificate is to be certified until Nov 18 09:14:23 2025 GMT (1095 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
To renew an expired root CA certificate we have first to obtain its original CSR from the current certificate, paying attention to copy all relevant extensions. Then, a new certificate can be issued, copying again the extensions.
root@myhost:~# cd /etc/ssl/cacerts
root@myhost:/etc/ssl/cacerts# openssl x509 -x509toreq -in cacert.pem -signkey ../private/cakey.pem -out newcaReq.pem -copy_extensions copyall
Enter pass phrase for ../private/cakey.pem: TYPE_YOUR_SECRET
root@myhost:/etc/ssl/cacerts# openssl x509 -req -days 7300 -in newcaReq.pem -signkey ../private/cakey.pem -out newcaCert.pem -copy_extensions copyall
Enter pass phrase for ../private/cakey.pem: TYPE_YOUR_SECRET
Certificate request self-signature ok
subject=C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Then the new root CA certificate with updated expiration date is ready.
root@myhost:/etc/ssl/cacerts# openssl x509 -in newcaCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:a3:2c:25:09:97:21:17:20:ba:1d:e3:15:f0:8c:ce:96:11:ea:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Validity
Not Before: Nov 19 09:45:25 2022 GMT
Not After : Nov 14 09:45:25 2042 GMT
Subject: C = US, ST = California, L = San Francisco, O = My Company, CN = My Company Root CA, emailAddress = netadmin@mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e3:8a:a4:10:73:4c:d9:c9:3f:a1:d3:fa:14:bb:
76:86:fd:05:d4:78:b4:80:62:89:a0:75:75:a8:f3:
...
e6:a8:fc:57:e9:20:02:c0:24:67:3a:a3:41:8c:a0:
b2:2b:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
00:32:A8:49:BC:A0:EF:26:DA:50:D0:A4:E6:1C:B0:17:58:57:F6:1F
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
17:58:7c:f3:3a:62:3f:ae:62:8c:d6:ed:68:f3:ac:1e:9a:31:
b5:81:2d:af:b9:aa:f7:e0:0c:e3:13:58:fc:e6:73:90:66:34:
...
2d:2f:e7:b2:e8:4f:d1:c0:f1:5a:f5:39:9f:cb:0a:b7:c4:cd:
1c:c8:ce:1d:be:f4:82:d4
It can be also checked that the new root CA certificate verifies the client certificates issued by the former CA certificate.
root@myhost:/etc/ssl/cacerts# openssl verify -CAfile ./newcaCert.pem -verbose ../mycerts/wwwCert.pem
../mycerts/wwwCert.pem: OK
DISCLAIMER
The material and methods reported in Linux Admin Smart Guide, even if tested, are provided without any guarantee. All the commands are run as privileged (root) user, so it is highly recommended to try them first on non-production machines and, in any case, to always do backups first. Linux Admin Smart Guide is not responsible for any damage or data loss caused by misformulated commands or inadvertently launched commands.
To gain a root shell, run the command sudo su -l from the shell of a regular user who is included in the sudoers list, or simply the command su -l and then providing the root password.