Certificate Manipulation
Email signing with OpenSSL
This example shows how to sign a mail message contained in the file
your-mail-message.txt. For this purpose use the command below that will produce as output a signed message in the file signed-mail-message.txt.openssl smime -sign -text -in your-mail-message.txt -out signed-mail-message.txt \
-signer ${HOME}/.globus/usercert.pem -inkey ${HOME}/.globus//userkey.pemEmail encrypting with OpenSSL
This example shows how to encrypt a signed mail message contained in the file signed-mail-message.txt. For this purpose use the command below that will produce as output a encrypted message in the fileencrypted-mail-message.txt. The command uses as last parameter the name of a file (destination-user-certificate.pem) containing the certificate of destination user, therefore the mail can only be decrypted by persons having access to the corresponding certificate private key. To do this you need to obtain the destination user certificate.openssl smime -encrypt -in signed-mail-message.txt -out encrypted-mail-message.txt \
destination-user-certificate.pemEmail decrypting with OpenSSL
This example shows how to decrypt a signed E-mail message.openssl smime -decrypt -in received-encrypted-mail-message.txt \
-out received-mail-message.txt -recip ${HOME}/.globus/usercert.pem \
-inkey ${HOME}/.globus/userkey.pemEmail checking with OpenSSL
This example shows how to verify a signed E-mail message at arrival in order to check that has not been changed. The last argument is the path to a directory containing your trusted certification authority certificates. Under EDG Globus distributions the trusted CA certificates are stored in/etc/grid-security/certificates.openssl smime -verify -text -in received-signed-mail-message.txt \
-CApath /etc/grid-security/certificatesThe following example will display the distinguish name (DN) of the signer.
openssl smime -pk7out -in received-signed-mail-message.txt | \
openssl pkcs7 -print_certs -noout Obtaining the hash value of a certificate
This example shows how to obtain a certificate hash value.openssl x509 -noout -hash -in certificate.pem Obtaining the fingerprint of a certificate
This example shows how to obtain a certificate MD5 fingerprint.openssl x509 -noout -fingerprint -in certificate.pem Converting a certificate to pkcs12
This example shows how to convert a certificate to the pkcs12 format used by web browsers such as Netscape and Internet Explorer. The pkcs12 format stores both the public key and the private key inside the same file. You will be prompted to enter the password to read the existing private key and then to enter a password to protect the newly created pkcs12 file. The output file usercert.p12 can then be loaded into the browser using the browser certificate management panels.openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12Converting a certificate from pkcs12 to pem
This example shows how to convert a certificate from pkcs12 to the pem format. This can be used to convert a certificate previously exported from a browser to local storage so that it can be used to access the grid from a user interface. Many CAs use web browsers as the interface method to obtain and renew certificates. In this case the certificates are stored inside the browser. To be usable for the grid the certificate must be exported from the browser to a disk file. When exporting a certificate the browser usually writes it to the filesystem in pkcs12 format. The example shown here converts a certificate in pkcs12 to pem format. There are two steps the first one extracts the private key and the second one extracts the public key. Notice that in pkcs12 format both private and public keys are stored inside the same file while in PEM format they are stored into two different filesopenssl pkcs12 -nocerts -in usercert.p12 -out ~user/.globus/userkey.pem
chmod 400 ~user/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pemThis example shows how to convert a certificate to the pem format, without password (Used on servers only).
openssl pkcs12 -nocerts -nodes -in usercert.p12 -out ~user/.globus/userkey.pem
openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pem Verifying a certificate
This example shows how to verify the authenticity of a certificate. You can enter the path for a directory containing all trusted CA ROOT certificates, or specify directly the CA ROOT certificate with which the verification should be performed.openssl verify -CApath /etc/grid-security/certificates usercert.pem
openssl verify -CAfile /etc/grid-security/certificates/11b4a5a2.0 usercert.pemVerifying a CRL
This example shows how to verify the authenticity of a CRL. You can enter the path for a directory containing all trusted CA ROOT certificates, or specify directly the CA ROOT certificate with which the verify should be performed.openssl crl -noout -CApath /etc/grid-security/certificates -in 11b4a5a2.r0 -noout
openssl crl -noout -CAfile /etc/grid-security/certificates/11b4a5a2.0 -in 11b4a5a2.r0 -nooutCertificate Manipulation
This example shows how to display in text format the content of a certificate.openssl x509 -text -noout -in usercert.pemDisplay the content of a CRL
This example shows how to display in text format the content of a CRL.openssl crl -text -noout -in /etc/grid-security/certificates/11b4a5a2.r0Display specific information about a certificate
This example shows how to display in text format the issuer .openssl x509 -issuer -noout -in usercert.pemThis example shows how to display in text format the subject DN.
openssl x509 -subject -noout -in usercert.pemThis example shows how to display in text format the expiration date.
openssl x509 -enddate -noout -in usercert.pemChanging the password of a certificate private key
This example shows how to modify the password of a certificate private key. Once the password is successfully changed the newly created file containing the private key protected my the new password must be moved to the old userkey file. In any case the old file containing the private key should be removed. If the old private key was stored in a floppy disk then it should be physically destroyed.cd ${HOME}/.globus
openssl rsa -in userkey.pem -des3 -out new-userkey.pem
shred -f userkey.pem
chmod 400 userkey.pem
mv new-userkey.pem userkey.pem