How to use the public, private key-pair and certificate?



I can meet lots of SSL certification to protect web server host. I am not the security engineer. Therefore, It is difficult to understand the relationship private-public key pair and the certification. I have recently found the answer from here. Now I will follow these if it works or not. In this post, I will use "openssl" to handle.


1. Install the "openssl" on ubuntu


Basically, this openssl has been installed on ubuntu, therfore, I do not need to install again.


# apt-get install openssl 


2. Generate the private keys


In this post, I create private key of 2048 size with RSA algorithm at first. 


# openssl genrsa -out myprivate.pem 2048

Generating RSA private key, 2048 bit long modulus

......+++

...............................................+++

e is 65537 (0x10001)


# cat myprivate.pem

-----BEGIN RSA PRIVATE KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END RSA PRIVATE KEY----- 


3. Generate the public keys


With the private key, I can generate the public key with RSA key management command.


# openssl rsa -in myprivate.pem -outform PEM -pubout -out public.pem

writing RSA key


# cat public.pem

-----BEGIN PUBLIC KEY-----

something............xxxxxxxxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----


4. Create a CSR (Certificate Signing Request)


To create a CSR, "req" command is for PKCS#10 X.509 Certificate Signing Request (CSR) Management. CSR should be created with the private key which is created. During creation, some information are required to insert.


# openssl req -new -key myprivate.pem -out mycert.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:KR

State or Province Name (full name) [Some-State]:SEOUL

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


After above status, I will get csr file.


5. Create a Self-signed Certificate 


With the create CSR file and Private key, I can create the Self-signed Certificate (CRT) file, which I can share

# openssl x509 -req -days 365 -in mycert.csr -signkey myprivate.pem -out cert.crt

Signature ok

subject=/C=KR/ST=SEOUL/O=Internet Widgits Pty Ltd

Getting Private key


I create the CRT file with expiration. (-days option define the date to expire). This is important because CRT file can be shared.


6. How to Use these Keys and Certifications


Now, I have four files (Public-Private Key Pairs, CSR and CRT files). At first, I create sample documentation. 


# cat this_sample.txt

Hi, I am doing some test now


Before I encrypt file above. I want to see the command option of "openssl rsautl". In this command, I will use -encrypt and -decrypt options. Please note that -encrypt require "public key" not "private key" and reverse versa. "-pkcs" option is default pandding option.


# openssl rsautl --help

Usage: rsautl [options]

-in file        input file

-out file       output file

-inkey file     input key

-keyform arg    private key format - default PEM

-pubin          input is an RSA public

-certin         input is a certificate carrying an RSA public key

-ssl            use SSL v2 padding

-raw            use no padding

-pkcs           use PKCS#1 v1.5 padding (default)

-oaep           use PKCS#1 OAEP

-sign           sign with private key

-verify         verify with public key

-encrypt        encrypt with public key

-decrypt        decrypt with private key

-hexdump        hex dump output

-engine e       use engine e, possibly a hardware device.

-passin arg    pass phrase source


Now, I encrypt this file with Public key with RSA utility command which are used for signing, verification, encryption and decryption. Please, note "-pubin" option is important factor to encrypt file.


# openssl rsautl -encrypt -inkey public.pem -pubin -in this_sample.txt -out encrypted_sample


Now, I have encrypted file. At this time, I have some question. How can I recover this file. 


# openssl rsautl -decrypt -inkey myprivate.pem -keyform PEM -in encrypted_sample -out decrypted_sample


# cat decrypted_sample

Hi, I am doing some test now


It's works. However, I have something left. What is the CRT file for?. CRT file can be shared. Someone can get the public key from this CRT file.


# openssl x509 -pubkey -in cert.crt -out certpubkey.pem

-----BEGIN PUBLIC KEY-----

something......... xxxxxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----


With this public key, I can send some file with encryption.


7. Encrypt with Private Key and Decrypt with Public Key


So far, I encrypt with Public key and I decrypt with Private key. However, I have question if it is do with reverse. The answer is "yes". However, it is not possible with "openssl" command line. Therefore, I can not handle this anymore at this time in this post.


Reference


[ 1 ] https://security.stackexchange.com/questions/108508/how-do-i-produce-a-ca-signed-public-key

[ 2 ] https://unix.stackexchange.com/questions/296697/how-to-encrypt-a-file-with-private-key

+ Recent posts