- 17 Apr 2021
- 4 Minutes to read
- Print
- DarkLight
Certificate Management
- Updated on 17 Apr 2021
- 4 Minutes to read
- Print
- DarkLight
Legal Warning
Specifications, details, statements, and information in this manual are subject to change without any notice. All the information provided, procedures shared, or statements listed below are for Tegsoft technical experts only. Using this manual without Tegsoft Technical qualification should be avoided. Tegsoft has no obligation over the result of the application on any use. Some statements may not be suitable for use; avoiding without technical qualification may be crucial. Users must take full responsibility for performing any steps part of this manual. Users who are not aware of the technical terms and operations described here; should be aware that this document may not be suitable for their usage.
Changes to This Document
Date | Change Summary |
2020-09-02 | Initial release of the document. |
Preface
This document explains how to manage and convert certificates. The preface for Certificate Management contains the following sections:
- Certificate Verification
- Converting Files
- Common Errors
Obtaining Documentation
Tegsoft documentation and additional literature are available on Tegsoft Knowledge Base. This section explains the product documentation resources that Tegsoft offers.
Tegsoft Knowledge Base
You can access the most current Tegsoft documentation at this URL:
Prerequisites
- You must have basic knowledge of networking
- You must have basic knowledge of SSH connection
- You must have basic skills in Linux Command Line Interface
Certificate Verification
Certificate
openssl verify -verbose certificate.crt
certificate.crt: OU = Domain Control Validated, OU = Hosted by Doruk Bilisim Teknolojileri Ltd. Sti, OU = PositiveSSL Wildcard, CN = *.rumeli.edu.tr
error 20 at 0 depth lookup:unable to get local issuer certificate
Key Verification
openssl rsa -noout -modulus -in certificate.key | openssl md5
Key - Certificate Matching
openssl pkey -in certificate.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
openssl x509 -in certificate.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a1:e0:4c:0f:d3:fa:2e:ae:e6:da:eb:61:66:76:02:f6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Feb 14 00:00:00 2018 GMT
Not After : Feb 14 23:59:59 2019 GMT
Subject: OU=Domain Control Validated, OU=Hosted by Doruk Bilişim Teknolojileri Ltd. Sti, OU=PositiveSSL Wildcard, CN=*.rumeli.edu.tr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:32:f8:50:5d:6e:ea:08:3c:27:a8:32:ed:bb:
86:81:f6:86:5b:cc:4f:4d:21:c4:04:67:cd:46:8a:
ff:76:d2:9f:b6:da:16:af:be:e3:89:a4:54:9c:ef:
97:a8:03:17:c9:1f:94:fe:a3:37:03:ff:b9:95:f0:
fd:1c:d8:77:a7:70:18:01:dd:38:1b:29:cb:b1:2c:
7d:5b:82:81:ae:85:33:99:67:c5:ac:9b:53:eb:fe:
9d:ea:ef:3f:bd:35:42:dc:5c:d4:56:ee:c9:8c:f5:
43:b0:89:e6:af:5f:52:83:22:54:de:86:5d:0a:d5:
e1:55:0b:e3:b8:01:9d:30:9e:ac:69:74:d4:e5:9b:
cc:a9:d1:5e:67:b6:da:91:41:e5:a3:59:29:4d:e6:
bf:b2:05:9a:2b:12:7c:c3:30:ed:e4:29:2d:10:72:
01:88:7a:99:c4:9d:fc:e3:92:b7:4c:c1:34:13:1c:
1d:43:47:73:87:d5:f9:77:bf:55:cb:60:65:5c:5e:
46:ab:5b:b2:bd:71:56:6c:0c:c6:0d:6e:46:de:bb:
9e:44:57:1a:72:57:e4:1a:90:5b:35:eb:40:3a:a0:
bd:85:18:f9:6b:71:1a:43:45:b0:29:e8:cb:b3:c2:
17:9e:17:00:c0:66:f8:8e:c0:91:b4:2c:c1:52:c5:
92:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
X509v3 Subject Key Identifier:
18:7E:41:D5:6B:95:26:76:EC:EB:5A:7C:0D:59:49:9F:A7:AE:7C:23
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com
X509v3 Subject Alternative Name:
DNS:*.rumeli.edu.tr, DNS:rumeli.edu.tr
Signature Algorithm: sha256WithRSAEncryption
04:57:6f:bf:3d:8d:ff:89:4b:98:0c:94:6d:9e:2e:3c:e1:6a:
54:48:3c:1a:fd:11:14:d9:c9:bb:8c:09:29:f0:4d:a6:f8:15:
90:31:1a:94:ed:ea:af:d5:df:b3:36:d7:8a:25:46:11:60:02:
13:ae:54:73:3b:be:3f:0a:96:a6:80:44:72:17:3b:63:9e:5e:
47:89:7f:32:6e:a6:60:eb:3c:75:e9:6c:a8:66:5c:34:57:3a:
11:4a:15:f5:68:94:7e:e5:ee:b5:b5:3b:fe:59:7a:81:41:6d:
7e:38:9b:a1:0f:35:5a:cf:07:2d:ff:bc:2c:02:e0:db:b6:be:
31:ac:47:e0:9e:b8:de:15:63:15:d5:d1:ec:43:c0:91:23:aa:
a7:19:cf:a2:ac:a2:8f:22:77:5a:68:e0:f9:83:c4:72:dc:4f:
12:47:ab:44:e7:dc:41:22:cf:1a:59:6f:83:98:56:35:bf:58:
cd:eb:ec:92:03:ce:35:65:f3:03:dd:b0:29:b4:6b:25:11:b1:
0b:e0:6b:e0:9f:f2:41:9f:f0:45:c5:b8:76:db:12:a2:a2:a1:
6d:75:d7:89:77:78:fc:ce:d8:24:10:f3:a2:a9:6c:b9:d3:46:
ea:b6:f2:f0:97:7c:94:1b:36:18:74:68:c5:2e:6d:4b:91:91:
92:47:a8:d5
Converting Files
Converting PFX to KEY File
Two steps;
openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out certificate.crt
Enter Import Password:ENTER_PASSWORD
MAC verified OK
openssl pkcs12 -in yourfile.pfx -nocerts -out certificate-tmp.key
Enter Import Password:ENTER_PASSWORD
MAC verified OK
Enter PEM pass phrase:tegsoft123
Verifying - Enter PEM pass phrase:tegsoft123
openssl rsa -in certificate-tmp.key -out certificate.key
Enter pass phrase for certificate-tmp.key:tegsoft123
writing RSA key
Converting CRT to PFX File
openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile bundle.crt
Converting KEY to 8 Bit KEY File
openssl pkcs8 -topk8 -inform PEM -outform DER -in certificate.key -nocrypt > certificate8.key
Converting CER to PEM File
openssl x509 -inform der -in certificate.cer -out certificate.pem
Converting CRT to PEM File
openssl x509 -in certificate.crt -out certificate.pem -outform PEM
Common Errors
Overriding default certificate files
When using /certificates folder and certificate.XXX files Tegsoft will override those files when booting. It is important to run the below command to disable Tegsoft certificate overriding.
echo 1 > /root/custom_certificates