OpenSSL 1.0.0 command process for generating certificates in P12, jks, and CRT formats
The generated certificate can be used in browsers, Java, tomcat, C ++, and so on. In this memo!
1. Create a root certificate Private Key
Command:
OpenSSL genrsa-out root-key.key 1024
2. Create a root certificate request file
Command:
OpenSSL req-New-out root-req.csr-key root-key.key-keyform PEM
3. Self-Signed root certificate
Command:
OpenSSL X509-req-In root-req.csr-out root-cert.cer-signkey root-key.key-cacreateserial-days 3650
4. Export the root certificate in p12 format
Command:
OpenSSL PKCS12-export-clcerts-In root-cert.cer-inkey root-key.key-out root. p12
5. Generate the root. jks File
Keytool-import-v-trustcacerts-storepass 123456-alias root-file root-cert.cer-keystore
Root. jks
Generate client files:
1. Generate client key
OpenSSL genrsa-out client-key.key 1024
2. Generate the client request file
OpenSSL req-New-out client-req.csr-key client-key.key
3. Generate client certificates (root certificate, rootkey, client key, client request file)
OpenSSL X509-req-In client-req.csr-out client-cert.cer-signkey client-key.key-Ca root-cert.cer
-Cakey root-key.key-cacreateserial-days 3650
4. Generate the client p12 format root certificate
OpenSSL PKCS12-export-clcerts-In client-cert.cer-inkey client-key.key-out client. p12
Client jks:
Keytool-import-v-trustcacerts-storepass 123456-alias client-file client-cert.cer-keystore
Client. jks
Generate a server file:
1. Generate the server key
OpenSSL genrsa-out server-key.key 1024
2. Generate a server request file
OpenSSL req-New-out server-req.csr-key server-key.key
3. Generate the server certificate (root certificate, rootkey, client key, client request file)
OpenSSL X509-req-In server-req.csr-out server-cert.cer-signkey server-key.key-Ca root-cert.cer
-Cakey root-key.key-cacreateserial-days 3650
4. Generate a server p12 root certificate
OpenSSL PKCS12-export-clcerts-In server-cert.cer-inkey server-key.key-out server. p12
Server jks
Keytool-import-v-trustcacerts-storepass 123456-alias server-file server-cert.cer-keystore
Server. jks
Password-less key command:
OpenSSL RSA-In client-key.key-out client-key.key.unsecure
Signing nsdata (using sha256 with RSA ):
NSData* PKCSSignBytesSHA256withRSA(NSData* plainData, SecKeyRef privateKey){ size_t signedHashBytesSize = SecKeyGetBlockSize(privateKey); uint8_t* signedHashBytes = malloc(signedHashBytesSize); memset(signedHashBytes, 0x0, signedHashBytesSize); size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH; uint8_t* hashBytes = malloc(hashBytesSize); if (!CC_SHA256([plainData bytes], (CC_LONG)[plainData length], hashBytes)) { return nil; } SecKeyRawSign(privateKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, &signedHashBytesSize); NSData* signedHash = [NSData dataWithBytes:signedHashBytes length:(NSUInteger)signedHashBytesSize]; if (hashBytes) free(hashBytes); if (signedHashBytes) free(signedHashBytes); return signedHash;}
Verification (using sha256 with RSA ):
BOOL PKCSVerifyBytesSHA256withRSA(NSData* plainData, NSData* signature, SecKeyRef publicKey){ size_t signedHashBytesSize = SecKeyGetBlockSize(publicKey); const void* signedHashBytes = [signature bytes]; size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH; uint8_t* hashBytes = malloc(hashBytesSize); if (!CC_SHA256([plainData bytes], (CC_LONG)[plainData length], hashBytes)) { return nil; } OSStatus status = SecKeyRawVerify(publicKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, signedHashBytesSize); return status == errSecSuccess;}
Alternatives (OpenSSL ):
There is a very good alternative available which utilizes OpenSSL directly instead of libcommoncrypto. mihcrypto is a well-designed objective-C wrapper library for OpenSSL which makes working with cryptography very easy. see the example below.
Generating a key is that simple:
MIHAESKeyFactory *factory = [[MIHAESKeyFactory alloc] init];id<MIHSymmetricKey> aesKey = [factory generateKey];
Or loading a key from file:
NSData *privateKeyData = [[NSFileManager defaultManager] contentsAtPath:"mykey.pem"];MIHRSAPrivateKey *privateKey = [[MIHRSAPrivateKey alloc] initWithData:privateKeyData];
Now sign something:
NSError *signingError = nil;NSData *message = // load something to sign from somewhereNSData *signature = [privateKey signWithSHA256:message error:&signingError]
For more examples browse the mihcrypto page.
OpenSSL implements two-way authentication for server clients