Digicert Openssl

Solution

  1. Digicert Openssl Pkcs12
  2. Openssl Generate Self Signed Certificate
  3. Digicert Csr Tool
  4. Digicert Openssl Csr Creation
  5. Openssl Create A Csr
  6. Digicert Openssl Apache

To generate a Certificate Signing Request (CSR) using OpenSSL on Microsoft Windows system, perform the following steps:
Step 1: Install OpenSSL

  1. Open the following link in your web browser: https://wiki.openssl.org/index.php/Binaries
  2. On the table Third Party OpenSSL Related Binary Distributions, there are a few distributions.
  3. Select the 'OpenSSL for Windows' and follow the link: https://slproweb.com/products/Win32OpenSSL.html
  4. Scroll to the section “Download Win32 OpenSSL'
  5. Select one of the non-light edition of the installer and download it.
  6. Double click the OpenSSL file using default settings to complete the installation.

SSL & TLS Certificates from DigiCert. Secure your website and promote customer confidence with superior encryption and authentication from DigiCert SSL/TLS. DigiCert is the new Leading Global SSL Certificate Provider. With their unparalleled Iot and PKI solutions for identity and encryption, there is no other clear choice for your security needs. DigiCert is trusted by 89% of the Furtune 500 and 97 of the 100 top global banks.

Digicert Openssl Pkcs12


Step 2: Set up OpenSSL for usage

  1. In Windows, click Start > Run
  2. In the Open box, type CMD and click OK

  3. A command prompt window appears
  4. Type the following command at the prompt and press Enter:
    cd OpenSSL-Win32
  5. The line changes to C:OpenSSL-Win32
  6. Type the following command at the prompt and press Enter:
    set OPENSSL_CONF=c:OpenSSL-Win32binopenssl.cfg
  7. Restart computer (mandatory)


Step 3: Generate a Certificate Signing Request (CSR) using OpenSSL on Windows

  1. In Windows, click Start > Run
  2. In the Open box, type CMD and click OK

  3. A command prompt window appears
  4. Type the following command at the prompt and press Enter:
    cd OpenSSL-Win32bin
  5. The line changes to C:OpenSSL-Win32bin
  6. Type the following command at the prompt and press Enter:
    openssl genrsa -out private-key.key 2048
  7. Type the following command at the prompt and press Enter:
    opensslreq -new -key private-key.key -out csr.txt
  8. Fill in the required fields:
    • Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
    • State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
    • Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
    • Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll.
    • Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
    • Common Name: The Common Name is the Host + Domain Name. It looks like 'www.digicert.com' or 'digicert.com'.
      DigiCert certificates can only be used on Web servers using the Common Name specified during enrollment. For example,
      a certificate for the domain 'digicert.com' will receive a warning if accessing a site named 'www.digicert.com' or 'secure.digicert.com', because 'www.digicert.com' and 'secure.digicert.com' are different from 'digicert.com.'
      Note: Please do not enter an email address, challenge password or an optional company name when generating the CSR.
  9. A public/private key pair has now been created. The private key (i.e. private-key.key) is stored locally on the computer and is used for decryption. The public portion, in the form of a Certificate Signing Request (i.e. csr.txt), will be for certificate enrollment.
  10. To move the private key and CSR file to a centralize directory (e.g. certificate) from local computer. Type the following command at the prompt and press Enter:
    • md c:certificate
    • move private-key.key c:certificate
    • move csr.txt c:certificate
  11. The CSR file (i.e. csr.txt) is now ready to use for certificate enrollment
  12. To open the CSR file using Notepad via command prompt. Type the following command at the prompt and press Enter:
    notepad c:certificatecsr.txt
  13. A new window (i.e. Notepad) opens which contains the information needed to enroll for a certificate
  14. To copy the Certificate Signing Request from Notepad window, click Edit > Select All
  15. Go to Edit again and select Copy
  16. Once the CSR has been copied, proceed to certificate enrollment
Skip to main content

OpenSSL: Manually verify a certificate against an OCSP

Published: 07-04-2014 Author: Remy van Elst Text only version of this article


❗ This post is over six years old. It may no longer be up to date. Opinions may have changed.

Table of Contents

This article shows you how to manually verfify a certificate against an OCSPserver. OCSP stands for the Online Certificate Status Protocol and is one way tovalidate a certificate status. It is an alternative to the CRL, certificaterevocation list.

Compared to CRL's:

  • Since an OCSP response contains less information than a typical CRL (certificate revocation list), OCSP can use networks and client resources more efficiently.
  • Using OCSP, clients do not need to parse CRLs themselves, saving client-side complexity. However, this is balanced by the practical need to maintain a cache. In practice, such considerations are of little consequence, since most applications rely on third-party libraries for all X.509 functions.
  • OCSP discloses to the responder that a particular network host used a particular certificate at a particular time. OCSP does not mandate encryption, so other parties may intercept this information.

You can read more about the OCSP on wikipedia

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

Digicert

If you want to verify a certificate against a CRL manually you can read myarticle on that here.

We will be using OpenSSL in this article. I'm using the following version:

Get a certificate with an OCSP

First we will need a certificate from a website. I'll be using Wikipedia as anexample here. We can retreive this with the following openssl command:

Save this output to a file, for example, wikipedia.pem:

Now, check if this certificate has an OCSP URI:

Digicert openssl version

If it does not give any output, the certificate has no OCSP URI. You cannotvaldiate it against an OCSP.

Getting the certificate chain

It is required to send the certificate chain along with the certificate you wantto validate. So, we need to get the certificate chain for our domain,wikipedia.org. Using the -showcerts option with openssl s_client, we can seeall the certificates, including the chain:

Results in a boatload of output, but what we are interested in is the following:

As you can see, this is number 1. Number 0 is the certificate for Wikipedia, wealready have that. If your site has more certificates in its chain, you will seemore here. Save them all, in the order OpenSSL sends them (as in, first the onewhich directly issued your server certificate, then the one that issues thatcertificate and so on, with the root or most-root at the end of the file) to afile, named chain.pem.

Digicert Openssl

Sending the OCSP request

Openssl Generate Self Signed Certificate

We now have all the data we need to do an OCSP request. Using the followingOpenssl command we can send an OCSP request and only get the text output:

Results in:

If you want to have a more summarized output, leave out the -text option. Imost of the time include it to find out problems with an OCSP.

This is how a good certificate status looks:

Revoked certificate

If you have a revoked certificate, you can also test it the same way as statedabove. The response looks like this:

Digicert Csr Tool

Digicert openssl

You can test this using the certificate and chain on the Verisign revokedcertificate test page:

Other errors

If we send this request to another OCSP, one who did not issued thiscertificate, we should receive an unauthorized error:

Digicert Openssl Csr Creation

The -text option here shows more information:

Some OCSP's are configured differently and give out this error:

If we do include the -text option here we can see that a response is sent,however, that it has no data in it:

Other OCSP's give out the 'unknown' status:

Openssl Create A Csr

The -text options shows us more:

Digicert Openssl Apache

Sources

Tags: articles, certificate, crl, ocsp, shell, ssl, tls