1 (edited by pm_vnct 2019-09-17 04:50:39)

Topic: [SOLVED] Generate keys/certificates using openssl

I would like to create a selfsigned CA and then generate signed client and server certificates. For this purpose I executed the following commands:

Create CA key and selfigned CA certificate:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out ca-key.pem
openssl req -x509 -new -nodes -addext keyUsage=critical,cRLSign,keyCertSign -key ca-key.pem -sha256 -days 3000 -out ca-cert.pem -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"

Create client certificate signed with CA:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out client-key.pem
openssl req -verbose -new -key client-key.pem -out client.csr -sha256 -subj "/C=SI/ST=Ljubljana/L=Ljubljana/O=MyCompany/OU=MyProduct/CN=myDomain"
openssl x509 -req -extensions client_server_ssl -extfile openssl-ext.conf -extensions client_server -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -days 3000 -CAcreateserial -out client-cert.pem

Content of  openssl-ext.conf is:

[ client_server ]
keyUsage = digitalSignature, keyEncipherment, keyAgreement

Convert client cert to der format:

openssl x509 -inform PEM -outform DER -in client-cert.pem -out client-cert.der

Covert client key to der format:

openssl pkcs8 -topk8 -inform PEM -outform DER -in client-key.pem -out client-key.der -nocrypt

To generate the server certificate I basically repeat the process of the client certificate generation.

I have two issues with those certificates:
1. The function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_ASN1) fails loading the client-key.der with a result code -4. However if I load the pem file and execute the function wolfSSL_CTX_use_PrivateKey_buffer(..., WOLFSSL_FILETYPE_PEM) I have no issue. What would be the reason?

2. Connection with these certificates does not work

I use openssl 1.1.1

Any help would be appreciated

Share

Re: [SOLVED] Generate keys/certificates using openssl

Hi pm_vnct,

Your steps for certificate and key generation look correct. The DER format should be loaded with the `WOLFSSL_FILETYPE_ASN1` option as you are doing. The -4 option is `WOLFSSL_BAD_FILETYPE`, which would happen if the format was invalid.

Here is how the use private key buffer call should look:

wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, (long)sz, WOLFSSL_FILETYPE_ASN1);

For the connection to work you also need the peer to load the CA as trusted using the wolfSSL_CTX_load_verify_buffer API. You will also need to load the client certificate using wolfSSL_CTX_use_certificate_buffer.

Thanks,
David Garske, wolfSSL

Share

Re: [SOLVED] Generate keys/certificates using openssl

Hi David,

Thank you for your reply. I already have a working client which successfully establishes a TLS 1.2 connection with the server using the default (wolfssl) CA, certificates and keys. Then I generated the CA, client and server certificates with the commands described above and exchanged the default certificates with the new ones. The first thing was that the der key on the client side could not be loaded (error -4). Then I loaded the key in pem format which was successful however then the TLS handshake process failed.

If you need more info from my side please let me know.

Thanks again for your support.
Regards, Peter

Share

Re: [SOLVED] Generate keys/certificates using openssl

To answer my own question regarding the private key parsing error:

I found a site that decodes the private key from a der file. There is some difference in the generated keys:
- default wolfssl client-key.der: https://bit.ly/2kRB2az
- my key: https://bit.ly/2ksFxs0

Then I converted the private key pem file with the following command which does not generate the additional "header" in the der file:

openssl pkey -inform PEM -outform DER -in client-key.pem -out client-key.der

This works fine.

Share

Re: [SOLVED] Generate keys/certificates using openssl

I also managed to resolve the TLS handshake by including some more extension flags into the CA certificate.

so far all good.

Thanks for the support.

Share