How to use the public, private key-pair and certificate?

How to use the public, private key-pair and certificate?

I can meet lots of SSL certification to protect web server host. I am not the security engineer. Therefore, It is difficult to understand the relationship private-public key pair and the certification. I have recently found the answer from here. Now I will follow these if it works or not. In this post, I will use "openssl" to handle.

1. Install the "openssl" on ubuntu

Basically, this openssl has been installed on ubuntu, therfore, I do not need to install again.

# apt-get install openssl

2. Generate the private keys

In this post, I create private key of 2048 size with RSA algorithm at first. 

# openssl genrsa -out myprivate.pem 2048 Generating RSA private key, 2048 bit long modulus ......+++ ...............................................+++ e is 65537 (0x10001) # cat myprivate.pem -----BEGIN RSA PRIVATE KEY----- something............xxxxxxxxxxxxxxxxxxxxxxxxx -----END RSA PRIVATE KEY-----

3. Generate the public keys

With the private key, I can generate the public key with RSA key management command.

# openssl rsa -in myprivate.pem -outform PEM -pubout -out public.pem writing RSA key # cat public.pem -----BEGIN PUBLIC KEY----- something............xxxxxxxxxxxxxxxxxxxxxxxxx -----END PUBLIC KEY-----

4. Create a CSR (Certificate Signing Request)

To create a CSR, "req" command is for PKCS#10 X.509 Certificate Signing Request (CSR) Management. CSR should be created with the private key which is created. During creation, some information are required to insert.

# openssl req -new -key myprivate.pem -out mycert.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:KR State or Province Name (full name) [Some-State]:SEOUL Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

After above status, I will get csr file.

5. Create a Self-signed Certificate 

With the create CSR file and Private key, I can create the Self-signed Certificate (CRT) file, which I can share. 

# openssl x509 -req -days 365 -in mycert.csr -signkey myprivate.pem -out cert.crt Signature ok subject=/C=KR/ST=SEOUL/O=Internet Widgits Pty Ltd Getting Private key

I create the CRT file with expiration. (-days option define the date to expire). This is important because CRT file can be shared.

6. How to Use these Keys and Certifications

Now, I have four files (Public-Private Key Pairs, CSR and CRT files). At first, I create sample documentation. 

# cat this_sample.txt Hi, I am doing some test now

Before I encrypt file above. I want to see the command option of "openssl rsautl". In this command, I will use -encrypt and -decrypt options. Please note that -encrypt require "public key" not "private key" and reverse versa. "-pkcs" option is default pandding option.

# openssl rsautl --help Usage: rsautl [options] -in file        input file -out file       output file -inkey file     input key -keyform arg    private key format - default PEM -pubin          input is an RSA public -certin         input is a certificate carrying an RSA public key -ssl            use SSL v2 padding -raw            use no padding -pkcs           use PKCS#1 v1.5 padding (default) -oaep           use PKCS#1 OAEP -sign           sign with private key -verify         verify with public key -encrypt        encrypt with public key -decrypt        decrypt with private key -hexdump        hex dump output -engine e       use engine e, possibly a hardware device. -passin arg    pass phrase source

Now, I encrypt this file with Public key with RSA utility command which are used for signing, verification, encryption and decryption. Please, note "-pubin" option is important factor to encrypt file.

# openssl rsautl -encrypt -inkey public.pem -pubin -in this_sample.txt -out encrypted_sample

Now, I have encrypted file. At this time, I have some question. How can I recover this file. 

# openssl rsautl -decrypt -inkey myprivate.pem -keyform PEM -in encrypted_sample -out decrypted_sample # cat decrypted_sample Hi, I am doing some test now

It's works. However, I have something left. What is the CRT file for?. CRT file can be shared. Someone can get the public key from this CRT file.

# openssl x509 -pubkey -in cert.crt -out certpubkey.pem -----BEGIN PUBLIC KEY----- something......... xxxxxxxxxxxxxxxxxxx -----END PUBLIC KEY-----

With this public key, I can send some file with encryption.

7. Encrypt with Private Key and Decrypt with Public Key

So far, I encrypt with Public key and I decrypt with Private key. However, I have question if it is do with reverse. The answer is "yes". However, it is not possible with "openssl" command line. Therefore, I can not handle this anymore at this time in this post.

Reference

[ 1 ] https://security.stackexchange.com/questions/108508/how-do-i-produce-a-ca-signed-public-key

[ 2 ] https://unix.stackexchange.com/questions/296697/how-to-encrypt-a-file-with-private-key