I have a public key, a 192 bit hash, and a 384 bit signature, all as .txt hex files, and the curve is prime192v1.
What command lines can I use to verify the message with OpenSSL?
For reference, the EC key can be created with the following command:
Create the EC key:
$ openssl ecparam -genkey -name prime192v1 > key.pem
Extract the public key:
$ openssl ec -in key.pem -pubout > pub.pem
Signing the hash of a message and verifying the signature with an EC key can be done the same way as with other key types:
Calculate the hash (use a hash funtion of your choice):
$ openssl dgst -sha256 -binary message.txt > hash.txt
Sign the hash with the private key:
$ openssl pkeyutl -sign -inkey key.pem -in hash.txt > sig.txt
Verify the signature with the public key:
$ openssl pkeyutl -verify -in hash.txt -sigfile sig.txt -inkey key.pem
Signature Verified Successfully
Related
For testing purposes, I need a revoked PEM certificate.
So I created a certificate:
Generate CSR & KEY: openssl req -new -newkey rsa:4096 -nodes -keyout test.key -out test.csr
Generate PEM and self-sign with KEY: openssl x509 -req -sha256 -days 365 -in test.csr -signkey test.key -out test.pem
When I try to revoke with openssl -revoke a get an error variable lookup failed
How can I revoke this certificate?
I have created private key and public key using below commands,
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
Seems like both are in different format.
I need to convert rsa privatekey.pem to x509 format.
Is there any way i can do that?
Probably, you meant a conversion of the RSA private key to the PKCS8 format.
From starting with:
-----BEGIN RSA PRIVATE KEY-----
To:
-----BEGIN PRIVATE KEY-----
If so, use the following command:
openssl pkcs8 -topk8 -in rsa.private.key -out pkcs8.private.key -nocrypt
well i have tried the below
openssl x509 -req -in <cert_name>.csr -signkey <key_name>.key -out output.crt
but seems to throw an error
140735226307408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
Any solutions?
The source of the problem is the form of your CSR : While working with X509, your data can be store using 2 forms : DER and PEM.
By default openssl assumes you are using PEM.
In your case, you should first convert the CSR in PEM format :
openssl req -inform DER -in <cert_name>.csr -out <cert_name>.pem
And then
openssl x509 -req -in <cert_name>.pem -signkey <key_name>.key -out output.crt
I am trying this for the past week. I dont know where I am going wrong. I want to setup a MDM server that dont have static IP. I have a DNS resolvable name for the server. I have the identity.key and identity.csr for which I created the MDM vendor certificate. I wrote a following .bat file to generate other certificates
echo 1. Creating Certificate Authority (CA)
echo For 'Common Name' enter something like 'MDM Test CA
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
echo 2. Creating the Web Server private key and certificate request
echo For 'Common Name' enter your server's DNS Name
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
echo 3. Signing the server key with the CA. You'll the CA passphrase from step 1.
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile .\server.cnf -extensions ssl_server
echo 4. Signing the identity key with the CA. You'll the CA passphrase from step 1.
echo Give it a passphrase. You'll need to include that in the IPCU profile
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
I used the identity.p12 file and created a encoded plist file for which push notification certificate is created. I also create a MDM profile in IPCU with the identity.p12 file. When I try to install the MDM profile, the mobile console says "Certificate in the server is invalid" and in the server it says SSL handshake failed and the server gets hanged.
What might be the issue?
In server.cnf -> subjectAltName I gave a parameter named DNS with DNS resolvable name and removed the IP. Now it is working fine.
I want to create a MDM server to manage my iOS devices. I have enrolled in iOS Enterprise Developer program. And executed the following openSSL commands
"1. Creating Certificate Authority (CA)"
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
"2. Creating the Web Server private key and certificate request"
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
"3. Signing the server key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile ./server.cnf -extensions ssl_server
"4. Creating the device Identity key and certificate request"
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
"5. Signing the identity key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
"6. Generating keys and certs for plist generation"
openssl req -inform pem -outform der -in identity.csr -out customer.der
I uploaded the generated identity.csr and got an MDM certificate.
With customer.der, AppleWWDRCA.cer, AppleIncRootCertificate.cer, MDM.cer (obtained from iOS Enterprise Developer) and with Identity.p12 I created a Java code to generate encoded plist file. I used this file and got APNSPushCert. It worked fine.
Now the problem is that the IP address of the computer got changed and I don't want to create the new MDM Vendor certificate.
As I understand the only place I mention the IP is server.cnf. I changed the IP in server.cnf and executed all the commands except 4. I placed the identity.key and identity.csr in the same folder before executing. Now every thing works fine but when I upload the encoded plist file for getting APNSPushCert site says Certificate Signature Verification failed.
I really don't understand what went wrong.
This is something to do with the SSL certificate you are using. It always validates the common name in the device side. You have to use either you domain name or the ip address of your server under common name of SSL certificate. Make sure it doesnt change. If it changes binding it to a DNS will work.
I tried to copy the same .der (costomer.der) file too and recompiled the program again. Now it is working fine. Also, I used DNS resolvable name as URI. Now all these are working fine.