Creating a Self Signed Certificate and Verifying the Private Key and Certificate

Hey all

I wanted to share one of the issue I faced at work this week and the steps I did to debug this issues. The issue mostly revolved around the keystore that we use in our application and it was a simple issue that took us around two days to figure out. It was a simple issue where we used the wrong private key and certificate combination and was overlooked with led to two days of unnecessary work. I am sharing some of the steps I did to figure it out which could be useful for you the next time. I am writing this post as two parts.

• Part 1: You create your own ssl certificates
• Part 2: You debug the certificate to see if the PK and Cert matches

Part 1 : Creating my own Self Signed Certificate

Creating a Private Key

1. To create a new Private key in the PKCS#1 format execute the below command

# openssl genrsa -des3 -out key_name.key key_strength
openssl genrsa -des3 -out private_key.key 2048

Creating a Certificate Signing Request

1. To Create a new certificate signing request with the above private key execute the following command

# openssl genrsa -des3 -out key_name.key key_strength
openssl req -new -key private_key.key -out certificate_signing_request.csr

Note : Your certificate signing request is not your actual cert. It only contains the information which is needed to generate a certificate based on your private key

Creating a Certificate

1. Execute the below command to get a certificate out of the csr we created above

openssl x509 -req -in certificate_signing_request.csr -signkey private_key.key -out certificate.crt

Creating a Keystore out of the JKS

In order to add the certificates to a key store the following command is required

1. Convert your certificate and private key in to a PKCS12(.p12 of .pfx) file using the below command

openssl pkcs12 -export -out keystore_pkcs.p12 -inkey private_key.key -in certificate.crt -name "faustus" -password pass:bulgogi

1. Once the pkcs is created we can create the jks out of it using the below command

keytool -importkeystore -srckeystore keystore_to_test.p12 -srcstoretype PKCS12 -srcalias faustus -srcstorepass bulgogi2902 -destkeystore dest_ks.jks -deststoretype JKS -deststorepass bulgogi2902 -destalias fausto

1. The keystore can be check with the following command to list the contents

keytool -list -v -keystore dest_ks.jks -storepass bulgogi2902

Part 2 : Validating the SSL Certificates

Checking the private Key

openssl rsa -in [key-file.key] -check -noout

The above command lets us know if the private key has been tampered with
Some of the faulty responses are

1. RSA key error : p not prime
2. RSA key error : n does not equal p q
3. RSA key error : d e not congruent to 1
4. RSA key error : dmp1 not congruent to d
5. RSA key error : iqmp is not inverse of q

Incase the private key is not tampered with we can get the following response

1. RSA key ok

Confirm the Modulus Value Matching with Private Key and SSL/TLS certificate Key Pair

The modulus of the private key and the certificate must match exactly

To view the certificate modulus

openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key modulus

openssl rsa -noout -modulus -in [key-file.key]

Perform Encryption with Public Key from certificate and Decryption with Private Key

1. Get public key from the certificate

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

1. Encrypt test.txt file content using the public key. Create a new file called test.txt file with the content “message test“. Perform the following command to create an encrypted message to cipher.txt file.

openssl pkeyutl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

1. Decrypt from cipher.txt using the private key

openssl  pkeyutl  -decrypt -in cipher.txt -inkey [key-file.key]

1. Confirming the integrity of file which is signed with private key. Perform following command to sign test.sig and test.txt file with your private key

openssl dgst -sha256 -sign  [key-file.key] -out test.sig test.txt

Verify the signed files with your public key that was extracted from step 1. Get public key from certificate.

openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

The output from the terminal should show the below message
verified ok
Incase the private key has been tampered with the following message will appear
Verification Failure

Like most post this is just information I compiled from different source to one post so that it could be a one stop shop. Hopefully this help you solve the issues or at least put you on the right path.