Archive for the ‘PKI’ Category

Creating your own self-signed certificates and keys (UPDATED)

I’ve set up a little PHP page that will generate self-signed certificates and bundle the associated private key in a PKCS12 file:

http://content.cryptofreek.org/pkcs12/

Basically it uses OpenSSL like this:

openssl genrsa -aes256 2048 > temp.key
openssl req -new -x509 -key temp.key -out temp.crt -days 365 -subj "/CN=John\ Doe/emailAddress=john.doe@mail.com"
openssl pkcs12 -export -in temp.crt -out temp.p12 -name "my self signed P12 from cryptofreek.org" -inkey temp.key

It’s a handy little utility; a quick and dirty way to generate certificates for testing. I’m sure that I will be broaden the features soon.

Originally wrote some bash scripts that used the “openssl” command on the server, but it was kinda hokey with a bit too much file IO.

Now, the backend has been rewritten to use the (sparsely documented) OpenSSL functions in PHP.

Free PKI Certificates from CAcert.org

If you don’t know what a digital certificate is or why you might need one, I’ll save you the effort and you can stop reading here.

If, like me, you are either too poor or too cheap to give VeriSign your money … CAcert.org seems like an ok option.

I know, I know … This IS NOT an enterprise class, super reliable way of certifying users.  However, it is probably good enough for playing with your friends.

Signup is easy, issuing certificates is easy, revoking your certificates is easy.  Go give it a try…

Here’s my cert:

-----BEGIN CERTIFICATE-----
MIIFOTCCAyGgAwIBAgIDCgssMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDQwNDE5NTE0OFoXDTExMTAwMTE5NTE0OFowQDEY
MBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMSQwIgYJKoZIhvcNAQkBFhVjcnlwdG9m
cmVla0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0
6L3yvvVcvWSkgv7UOaPGWQ9ShrMVfTFC7IpEzIbyluSPlZBNbBeXHdWsu/55X9uh
+A9T1gTwFNQeEXMsbf0rkEB5RwsH74wbkNNV8WYPMYyakdu1Wctlsaf10Wtfd1NR
1eQ4efiONMklZqjIyHRdKbBZLb2qGazMhHp+B3qzbt9vZufAzXcVn+b5Nk8mSbZg
KnPQ+uozy0KNfGs7x2sS9ti0g2G7S7ARdEKPGuJp+My5U8LUTcly4U65huN2uq/d
sh7Jruu0lzZDKqvFI7wnwikkZP/4XfA6Q4IXa58eVoLOCBIc5GVcNibY9kH3L4Ps
ot2TlA6uN9S1InG/9m4HAgMBAAGjggEBMIH+MAwGA1UdEwEB/wQCMAAwVgYJYIZI
AYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo
ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsG
AQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4
QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZzAgBgNVHREEGTAXgRVjcnlwdG9mcmVla0BnbWFpbC5jb20wDQYJKoZI
hvcNAQEFBQADggIBAMQ2N9WrIvJCDvT6xSD5wwz+twC919voLMQrRPMbxQWgGoKV
Krtnlh3eGjBzczNIAzFF/1hwhZi0hwwyhw2s+X+lTC/KRGTGw4LUvc0/Ush+uYdr
Kx8LD+BCh68p5LWCb/gJ8y/Q+3SLdxAafoZz4j0CKX3chGRHfMdUDzQDbPHD+SNw
fFAzJTzrWKWgf1zuw+vYAwE/QIFgXg0x3aCWyWXFwcYwmAeFdz0PI0TncWuhOQzU
Cy7PwAbOYp7Lds9zE7vtJol2UwswseRW8ZJ9sgOXzxRTAHm1nSpOO0joKkX+KrkG
QVFBDbZo6nyBclEaXuPtmWNdWflvWafzBWWismYNiFrcJrte0pPtDQsiLyRkSZps
teCxODnzxmfZySDQNnCxrafAajWl19d0B9SemS1sBUBK9sfm7WvcUFerzEqpc1b6
wXeg276hmdPEttmrlzQW/JQ9Sscfa94JzCE9+rHtJcSynv4HPJGH2A787gWODi8a
wWeafs+vAGZ/fNVtFFy4/BAwHbfX/KpoXS5CdIftixq6Mpfd5Tt+N5kk0jS8j74o
7cDPZh3W5ElX0m7AZEEWPSWzITfVXXZXvB1KP8ek/S16gJ9oavxegVIyqUr6ganj
szbkxSK3RKFXb/b+ILXjCoPU2dAP3cBxahA2wS6a2eqh/0w7aymnKRsyFMdJ
-----END CERTIFICATE-----

You can also grab the root and intermediate certificates here.