Tag Archives: ssl

Creating a PKCS7 (P7B) Using OpenSSL

Posted by Paul Kehrer on March 20, 2009 0 comments

Continuing the howto nature of this blog (and its peculiar obsession with OpenSSL), here’s a primer on packaging an arbitrary number of certificates into a single PKCS7 container. These files are quite useful for installing multiple certificates on Windows servers. They differ from PKCS12 (PFX) files in that they can’t store private keys. If you [...]

Checking A Remote Certificate Chain With OpenSSL

Posted by Paul Kehrer on March 14, 2009 1 comment

If you deal with SSL/TLS long enough you will run into situations where you need to examine what certificates are being presented by a server to the client. The best way to examine the raw output is via (what else but) OpenSSL.1 First let’s do a standard webserver connection (-showcerts dumps the PEM encoded certificates [...]

Generating (Very) Large Primes

Posted by Paul Kehrer on March 7, 2009 0 comments

Have you ever wondered how big the “large primes” that RSA encryption is based on really are? What exactly does a “1024-bit” key mean anyway? And if the difficulty of RSA is partially based on factoring large numbers, how do we create these large primes without determining primality via factorization? The easiest way to demonstrate [...]

Re-Signing An Expired CA Certificate

Posted by Paul Kehrer on March 5, 2009 0 comments

On rare occasions you may find yourself with a self-signed internal CA that has expired while you are still using certificates issued from the CA. One potential solution to this problem is to self-sign a new cert with identical fields using the private key from the old certificate.1 You can fill in almost all the [...]

OpenSSL SAN/UCC Certificate Generation

Posted by Paul Kehrer on February 28, 2009 1 comment

Signing a CSR containing subjectAltName (SAN/UCC) extensions isn’t hard, but can be a daunting challenge for the OpenSSL neophyte. We’re going to use the OpenSSL Self-Signed CA to accomplish this task in two ways. Pre-Existing SAN CSR Either you already have a SAN CSR from another source or you generated one using the tutorial from [...]

Creating a SubjectAltName (SAN/UCC) CSR

Posted by Paul Kehrer on February 27, 2009 6 comments

SAN certificates (or as Microsoft and others have taken to calling them, Unified Communications Certificates) are rapidly becoming a popular option for securing multiple domains. In fact, Exchange 2007, OCS 2007, and several other products now require UCC to function. However, this certificate type can proffer some advantages beyond that of a wildcard certificate as [...]