Cryptography Tutorials - Tutorial Addendum - OpenSSL - Acceptance Aisle and Validation
| |
(Continued from antecedent part...)
2. Breeding a affidavit for John and active by , john.crt:
>echo Breeding keys for John
>openssl genrsa -des3 -out john_rsa.key
...
>echo Breeding a affidavit signing appeal for John
>openssl req -new -key john_rsa.key -out john.csr -config openssl.cnf
...
>echo Signing a John s appeal by s key
>openssl x509 -req -in john.csr -CA .crt -CAkey _rsa.key
-out john.crt -set_serial 3
...
3. Breeding a affidavit for Bill and active by John, bill.crt:
>echo Breeding keys for Bill
>openssl genrsa -des3 -out bill_rsa.key
...
>echo Breeding a affidavit signing appeal for Bill
>openssl req -new -key bill_rsa.key -out bill.csr -config openssl.cnf
...
>echo Signing a Bill s appeal by John s key
>openssl x509 -req -in bill.csr -CA john.crt -CAkey john_rsa.key
-out bill.crt -set_serial 7
...
4. Breeding a affidavit for Tom and active by Bill, tom.crt:
>echo Breeding keys for Tom
>openssl genrsa -des3 -out tom_rsa.key
...
>echo Breeding a affidavit signing appeal for Bill
>openssl req -new -key tom_rsa.key -out tom.csr -config openssl.cnf
...
>echo Signing a Tom s appeal by Bill s key
>openssl x509 -req -in tom.csr -CA bill.crt -CAkey bill_rsa.key
-out tom.crt -set_serial 11
...
Ok. 4 certificates are abundant to do some absorbing tests with the "verify" command:
5. Verify the beeline acceptance path, one affidavit only:
>openssl verify .crt
.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN= Yang
error 18 at 0 abyss lookup:self active certificate
OK
>openssl verify -CAfile .crt .crt
.crt: OK
OK
>openssl verify john.crt
john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 20 at 0 abyss lookup:unable to get bounded issuer certificate
>openssl verify -CAfile john.crt john.crt
john.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 20 at 0 abyss lookup:unable to get bounded issuer certificate
Note that:
- You will get an OK with an error, if acceptance a self-signed affidavit after allegorical it as the CA certificate.
- You will get a absolute OK, if acceptance a self-signed affidavit with the CA affidavit defined as itself.
- You will get an error, if acceptance a non self-signed affidavit with or after allegorical it as the CA certificate.
6. Verify acceptance paths of two certificates:
>openssl verify -CAfile .crt john.crt
john.crt: OK
>openssl verify -CAfile .crt bill.crt
bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill White
error 20 at 0 abyss lookup:unable to get bounded issuer certificate
>openssl verify -CAfile john.crt bill.crt
bill.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=John Smith
error 2 at 1 abyss lookup:unable to get issuer certificate
Note that:
- Test 1: Perfect.
- Test 2: Aisle torn at 0 depth. Could not acquisition the issuer on bill.crt.
- Test 3: Aisle torn at 1 depth. Could not acquisition the issuer on john.crt.
7. Verify acceptance paths of some certificates:
>openssl verify -CAfile .crt -untrusted john.crt bill.crt
bill.crt: OK
>openssl verify -CAfile .crt -untrusted bill.crt tom.crt
tom.crt: /C=CN/ST=PN/L=LN/O=ON/OU=UN/CN=Bill Gate
error 20 at 1 abyss lookup:unable to get bounded issuer certificate
>copy john.crt+bill.crt all.crt
>openssl verify -CAfile .crt -untrusted all.crt tom.crt
tom.crt: OK
Note that:
- Test 1: Perfect.
- Test 2: Aisle torn at 1 depth. Could not acquisition the issuer on bill.crt.
- Test 3: Perfect. Attending at how I accompany two certificates book calm with the DOS command "copy".
Conclusion
The acceptance aisle abstraction is simple. Just bethink that the antecedent affidavit identifies the issuer of the next certificate.
OpenSSL "verify" apparatus is cool. It needs alone two command options: -CAfile and -untrusted.
|
openssl, certificate, verify, issuer, depth, cafile, generating, signed, certification, request, lookup, signing, unable, untrusted, local, perfect, certificates, crtbill, broken, validating, command, config, genrsa, cakey, serial, crtjohn, smitherror, , openssl verify, rsa key, verify cafile, john crt, bill crt, key out, cafile crt, depth lookup, echo generating, lookup unable, certification path, local issuer, crt bill, path broken, crt crt, bill rsa, depth could, crt untrusted, bill openssl, crtbill crt, bill crtbill, john smitherror, certificate openssl, crtjohn crt, john crtjohn, issuer certificate, signed certificate, crt set, key openssl, des3 out, john rsa, key echo, certificate signing, genrsa des3, openssl genrsa, certificate for, crt echo, generating keys, keys for, signing request, request for, cnf echo, echo signing, openssl x509, x509 req, openssl cnf, config openssl, openssl req, req new, new key, csr config, crt cakey, openssl verify cafile, depth lookup unable, csr config openssl, cnf echo signing, local issuer certificate, crt bill crtbill, certificate openssl verify, certificate signing request, key openssl x509, key echo generating, echo generating keys, crt echo generating, openssl genrsa des3, error when validating, signed certificate with, verify certification paths, issuer certificatenote that, certificates openssl verify, tutorials tutorial notes, tutorial notes openssl, openssl certification path, cryptography tutorials tutorial, notes openssl certification, issuer certificate openssl, verify cafile john, crt john crtjohn, |
Text link code :
Hyper link code:
Also see ...
This affiliate describes:Why Using Certificates with Browser? Exporting Certificates Out of Internet Explorer (IE)Importing Certificates into IE
i(Continued from antecedent part...)/iOnce exported, we can appearance the affidavit with OpenSSL: openssl x509 in verisign.cer inform DER noout textCertificate: Data:
i(Continued from antecedent part...)/iView Certificates in FireFox1. Accessible Firefox 1.0, and go to the "Tools / Options..." card option. The Options chat box shows up. b