1. How to setup a CA and sign a user certificate: http://pages.cs.wisc.edu/~zmiller/ca-howto/
Commands used:
a. create a key pair
openssl genrsa -des3 -out root-ca.key 1024
b. use the key to sign itself: (this will create a self-signed CA)
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
c. take a look at the certificate we just created
openssl x509 -noout -text -in root-ca.crt
d. create a user certificate request
openssl req -newkey rsa:1024 -keyout ehuang.key -config openssl.cnf -out xxx.req
d1. print a request
openssl req -text -in xxx.req
e. sign the certificate
openssl ca -config openssl.cnf -out xxx.crt -infiles xxx.req
f. create a pkcs8 format key
openssl pkcs8 -topk8 -outform DER -in xxx.key -inform PEM -out xxx.key.pk8 -nocrypt
2. How to sign an Android APK: http://stackoverflow.com/questions/12566939/android-apk-sign-information
a. remove old signature from apk
for f in `aapt list HelloActivity.apk |grep "META-INF"` ; do
aapt remove HelloActivity.apk $f
done
b. sign the apk
java -jar signapk.jar xxx.crt xxx.key.pk8 HelloActivity.apk HelloActivity-signed.apk
3. How to get signapk.jar
a. go to platform root folder
b. . build/envsetup.sh; lunch <option>
c. go to build/tools/signapk
d. mm -B
#openssl req -newkey rsa:1024 -keyout xxx.debug.key -config openssl.cnf -out xxx.debug.req
#openssl ca -config openssl.cnf -out xxx.debug.crt -infiles xxx.debug.req
#openssl x509 -in xxx.debug.crt -text
#openssl pkcs8 -topk8 -outform DER -in xxx.debug.key -inform PEM -out xxx.debug.key.pk8 -nocrypt
4. Verify signature
a. show the conent of signature block
openssl asn1parse -i -inform DER -in CERT.RSA
b. Verify the signature with certificate
openssl smime -verify -in CERT.RSA -inform DER -content CERT.SF signing-cert.pem
5. Import a certificate to android
a. get the hash of the cerificate
openssl x509 -inform PEM -subject_hash_old -in signing-ca-1.crt | head -1
b. generate the file to be stored in Android
openssl x509 -inform PEM -text -in signing-ca-1.crt >> 019f6ef1.0
c. one step:
openssl x509 -inform PEM -text -in signing-ca-1.crt >> `openssl x509 -inform PEM -subject_hash_old -in signing-ca-1.crt | head -1`.0
Multiple-level CAs
1.Create root key:
openssl genrsa -des3 -out root-ca.key 1024
2. Use the root key to sign itself:
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
3. perl mk_new_ca_dir.pl
mv root-ca.crt RootCA
mv root-ca.key RootCA
4. Create singing certificate
openssl genrsa -des3 -out signing-ca-1.key 1024
openssl req -new -days 1095 -key signing-ca-1.key -out signing-ca-1.csr -config openssl.cnf
openssl ca -config openssl.cnf -name CA_root -extensions v3_ca -out signing-ca-1.crt -infiles signing-ca-1.csr
perl mk_new_ca_dir.pl SigningCA1
mv signing-ca-1.crt SigningCA1
mv signing-ca-1.key SigningCA1
5. Create user key
openssl req -newkey rsa:1024 -keyout zmiller.key -config openssl.cnf -out zmiller.req
openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req
6. To get a hash:
openssl x509 -noout -hash -in host.crt
To get a subject:
openssl x509 -noout -subject -in host.crt
To see the whole cert:
openssl x509 -noout -text -in host.crt
Transfter openssl certificate in pkcs 12 format:
openssl pkcs12 -export -in server.crt -inkey server.key > server.p12
Import to a java keystore:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
Change a key to password-less.
openssl rsa -in signing-ca-1.key -out server.key
keytool -delete -alias 1 -keystore server.jks
Start a ocsp server:
openssl ocsp -index index.txt -port 8888 -rsigner ocsp.crt -rkey ocsp_nopw.key -CA signing-ca-1.crt -text -out log.txt
openssl ocsp -index index.txt -port 8888 -rsigner ocsp.crt -rkey ocsp_nopw.key -CA signing-ca-1.crt -text -out log.txt
Issue a ocsp request:
openssl ocsp -issuer ec_ocsp.pem -cert xxx.pem -host 127.0.0.1:8888 -resp_text -respout resp.der -VAfile ocsp.pem
Verify ocsp stapling:
openssl s_client -connect 127.0.0.1:9443 -tls1 -tlsextdebug -status -CApath /etc/ssl/certs/
//show text format of a x509 key
X509_print(arg, sk_X509_value(server_chain,i));
//Wriate a x509 certificate to a file
PEM_write_bio_X509(arg,sk_X509_value(server_chain,i));
//create a ecdsa key
openssl ecparam -name secp224r1 -genkey -out ecdsa224.key
//create a csr
openssl req -sha1 -days 3650 -new -key ecdsa224.key -out ecdsa224.req
//sign the request
openssl ca -in ecdsa224.req -out ecdsa224.pem
//Revoke a certificate
openssl ca -revoke client_cert.pem
//generate CRL
openssl ca -gencrl -out exampleca.crl
Commands used:
a. create a key pair
openssl genrsa -des3 -out root-ca.key 1024
b. use the key to sign itself: (this will create a self-signed CA)
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
c. take a look at the certificate we just created
openssl x509 -noout -text -in root-ca.crt
d. create a user certificate request
openssl req -newkey rsa:1024 -keyout ehuang.key -config openssl.cnf -out xxx.req
d1. print a request
openssl req -text -in xxx.req
e. sign the certificate
openssl ca -config openssl.cnf -out xxx.crt -infiles xxx.req
f. create a pkcs8 format key
openssl pkcs8 -topk8 -outform DER -in xxx.key -inform PEM -out xxx.key.pk8 -nocrypt
2. How to sign an Android APK: http://stackoverflow.com/questions/12566939/android-apk-sign-information
a. remove old signature from apk
for f in `aapt list HelloActivity.apk |grep "META-INF"` ; do
aapt remove HelloActivity.apk $f
done
b. sign the apk
java -jar signapk.jar xxx.crt xxx.key.pk8 HelloActivity.apk HelloActivity-signed.apk
3. How to get signapk.jar
a. go to platform root folder
b. . build/envsetup.sh; lunch <option>
c. go to build/tools/signapk
d. mm -B
#openssl req -newkey rsa:1024 -keyout xxx.debug.key -config openssl.cnf -out xxx.debug.req
#openssl ca -config openssl.cnf -out xxx.debug.crt -infiles xxx.debug.req
#openssl x509 -in xxx.debug.crt -text
#openssl pkcs8 -topk8 -outform DER -in xxx.debug.key -inform PEM -out xxx.debug.key.pk8 -nocrypt
4. Verify signature
a. show the conent of signature block
openssl asn1parse -i -inform DER -in CERT.RSA
b. Verify the signature with certificate
openssl smime -verify -in CERT.RSA -inform DER -content CERT.SF signing-cert.pem
5. Import a certificate to android
a. get the hash of the cerificate
openssl x509 -inform PEM -subject_hash_old -in signing-ca-1.crt | head -1
b. generate the file to be stored in Android
openssl x509 -inform PEM -text -in signing-ca-1.crt >> 019f6ef1.0
c. one step:
openssl x509 -inform PEM -text -in signing-ca-1.crt >> `openssl x509 -inform PEM -subject_hash_old -in signing-ca-1.crt | head -1`.0
Multiple-level CAs
1.Create root key:
openssl genrsa -des3 -out root-ca.key 1024
2. Use the root key to sign itself:
openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt -config openssl.cnf
3. perl mk_new_ca_dir.pl
mv root-ca.crt RootCA
mv root-ca.key RootCA
4. Create singing certificate
openssl genrsa -des3 -out signing-ca-1.key 1024
openssl req -new -days 1095 -key signing-ca-1.key -out signing-ca-1.csr -config openssl.cnf
openssl ca -config openssl.cnf -name CA_root -extensions v3_ca -out signing-ca-1.crt -infiles signing-ca-1.csr
perl mk_new_ca_dir.pl SigningCA1
mv signing-ca-1.crt SigningCA1
mv signing-ca-1.key SigningCA1
5. Create user key
openssl req -newkey rsa:1024 -keyout zmiller.key -config openssl.cnf -out zmiller.req
openssl ca -config openssl.cnf -out zmiller.crt -infiles zmiller.req
6. To get a hash:
openssl x509 -noout -hash -in host.crt
To get a subject:
openssl x509 -noout -subject -in host.crt
To see the whole cert:
openssl x509 -noout -text -in host.crt
Transfter openssl certificate in pkcs 12 format:
openssl pkcs12 -export -in server.crt -inkey server.key > server.p12
Import to a java keystore:
keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
Change a key to password-less.
openssl rsa -in signing-ca-1.key -out server.key
keytool -delete -alias 1 -keystore server.jks
Start a ocsp server:
openssl ocsp -index index.txt -port 8888 -rsigner ocsp.crt -rkey ocsp_nopw.key -CA signing-ca-1.crt -text -out log.txt
openssl ocsp -index index.txt -port 8888 -rsigner ocsp.crt -rkey ocsp_nopw.key -CA signing-ca-1.crt -text -out log.txt
Issue a ocsp request:
openssl ocsp -issuer ec_ocsp.pem -cert xxx.pem -host 127.0.0.1:8888 -resp_text -respout resp.der -VAfile ocsp.pem
Verify ocsp stapling:
openssl s_client -connect 127.0.0.1:9443 -tls1 -tlsextdebug -status -CApath /etc/ssl/certs/
//show text format of a x509 key
X509_print(arg, sk_X509_value(server_chain,i));
//Wriate a x509 certificate to a file
PEM_write_bio_X509(arg,sk_X509_value(server_chain,i));
//create a ecdsa key
openssl ecparam -name secp224r1 -genkey -out ecdsa224.key
//create a csr
openssl req -sha1 -days 3650 -new -key ecdsa224.key -out ecdsa224.req
//sign the request
openssl ca -in ecdsa224.req -out ecdsa224.pem
//Revoke a certificate
openssl ca -revoke client_cert.pem
//generate CRL
openssl ca -gencrl -out exampleca.crl
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
