Tag Archives: openssl

RSA Encryption and Signing

Posted by Paul Kehrer on March 21, 2009 1 comment

OpenSSL provides several tools that allow you to RSA encrypt/sign arbitrary data files. Of course, directly RSA encrypting large volumes of data is impractical because the encrypted/signed data cannot exceed the size of the key material. This is one of the reasons why SSL connections typically handshake and then pass an AES (or RC4, et [...]

Creating a PKCS7 (P7B) Using OpenSSL

Posted by Paul Kehrer on March 20, 2009 0 comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. If you [...]

Checking A Remote Certificate Chain With OpenSSL

Posted by Paul Kehrer on March 14, 2009 1 comment

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1 First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates [...]

Re-Signing An Expired CA Certificate

Posted by Paul Kehrer on March 5, 2009 0 comments

On rare occasions you may find yourself with a self-signed internal CA that has expired while you are still using certificates issued from the CA. One potential solution to this problem is to self-sign a new cert with identical fields using the private key from the old certificate.1 You can fill in almost all the [...]

OpenSSL SAN/UCC Certificate Generation

Posted by Paul Kehrer on February 28, 2009 1 comment

Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways. Pre-Existing SAN CSR Either you already have a SAN CSR from another source or you generated one using the tutorial from [...]

Creating a SubjectAltName (SAN/UCC) CSR

Posted by Paul Kehrer on February 27, 2009 6 comments

SAN certificates (or as Microsoft and others have taken to calling them, Unified Communications Certificates) are rapidly becoming a popular option for securing multiple domains. In fact, Exchange 2007, OCS 2007, and several other products now require UCC to function. However, this certificate type can proffer some advantages beyond that of a wildcard certificate as [...]