LIPCA

Autoridade de Certificação
LIP
LIP Autoridade de Certificação
Av. Elias Garcia 14, 1º
1000-149 Lisboa, Portugal
Tel.: (+ 351) 21 797 3880
Fax: (+ 351) 21 793 4631
  • Policy
  • Validity and Liability
  • CA ROOT Certificate
  • CRL Download
  • Obtaining a Certificate
  • Certificates and Globus
  • Web Browsers
  • More Information
  • Forms
  • Versão Portuguesa portugues
  • Home

 
 

  • Request Certificate
  • Register Authorities

 

  • GRID Users

Recommended Browser Firefox

Chrome/Chromium not supported

Signing E-mail using OpenSSL
Encrypting E-mail using OpenSSL
Decrypting an E-mail using OpenSSL
Checking a signed E-mail using OpenSSL
Obtaining the hash value of a certificate
Obtaining the fingerprint of a certificate
Converting a certificate to pkcs12
Converting a certificate to pem
Converting a certificate p12 to/from jks
Verifying a certificate
Verifying a CRL
Display the content of a certificate
Display the content of a CRL
Display the issuer and subject of a certificate
Changing the password of a private key
Demonstration Videos

This section has examples and information on the usage of certificates.

The examples on signing and encrypting E-mail messages can be useful for the secure transfer of information between the RA/CA and the requester or subscriber. The pathnames are based in the EDG distribution of the Globus toolkit.

Signing E-mail using OpenSSL

This example shows how to sign a mail message contained in the file your-mail-message.txt. For this purpose use the command below that will produce as output a signed message in the file signed-mail-message.txt.

openssl smime -sign -text -in your-mail-message.txt \
     -out signed-mail-message.txt \
     -signer ${HOME}/.globus/usercert.pem \
     -inkey ${HOME}/.globus//userkey.pem

Encrypting E-mail using OpenSSL

This example shows how to encrypt a signed mail message contained in the file signed-mail-message.txt. For this purpose use the command below that will produce as output a encrypted message in the file encrypted-mail-message.txt. The command uses as last parameter the name of a file (destination-user-certificate.pem) containing the certificate of destination user, therefore the mail can only be decrypted by persons having access to the corresponding certificate private key. To do this you need to obtain the destination user certificate.

openssl smime -encrypt -in signed-mail-message.txt \
     -out encrypted-mail-message.txt \
     destination-user-certificate.pem

Decrypting an E-mail using OpenSSL

This example shows how to decrypt a signed E-mail message.

openssl smime -decrypt -in received-encrypted-mail-message.txt \
     -out received-mail-message.txt \
     -recip ${HOME}/.globus/usercert.pem \
     -inkey ${HOME}/.globus/userkey.pem

Checking a signed E-mail using OpenSSL

This example shows how to verify a signed E-mail message at arrival in order to check that has not been changed. The last argument is the path to a directory containing your trusted certification authority certificates. Under EDG Globus distributions the trusted CA certificates are stored in /etc/grid-security/certificates.

openssl smime -verify -text -in received-signed-mail-message.txt \
     -CApath /etc/grid-security/certificates

The following example will display the distinguish name (DN) of the signer.

openssl smime -pk7out -in received-signed-mail-message.txt | \
     openssl pkcs7 -print_certs -noout

The examples above are based on examples for secure communication between CA and RA at Nikhef.

Obtaining the hash value of a certificate

This example shows how to obtain a certificate hash value.

openssl x509 -noout -hash -in certificate.pem

Obtaining the fingerprint of a certificate

This example shows how to obtain a certificate MD5 fingerprint.

openssl x509 -noout -fingerprint -in certificate.pem

Converting a certificate to pkcs12

This example shows how to convert a certificate to the pkcs12 format used by web browsers such as Netscape and Internet Explorer. The pkcs12 format stores both the public key and the private key inside the same file. You will be prompted to enter the password to read the existing private key and then to enter a password to protect the newly created pkcs12 file. The output file usercert.p12 can then be loaded into the browser using the browser certificate management panels.

openssl pkcs12 -export -in usercert.pem -inkey userkey.pem \
     -out usercert.p12

Converting a certificate to pem

This example shows how to convert a certificate to the pem format.

openssl pkcs12 -nocerts -in usercert.p12 -out ~user/.globus/userkey.pem
IMPORTANT: Don't forget to set permissions for private key (#chmod 400 ~user/.globus/userkey.pem)

openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pem

This example shows how to convert a certificate to the pem format, without password (Used on servers).

openssl pkcs12 -nocerts -nodes -in usercert.p12 -out ~user/.globus/userkey.pem

openssl pkcs12 -clcerts -nokeys -in usercert.p12 -out ~user/.globus/usercert.pem

Converting a certificate p12 to and for jks

JKS to P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

P12 to JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

Verifying a certificate

This example shows how to verify the authenticity of a certificate. You can enter the path for a directory containing all trusted CA ROOT certificates, or specify directly the CA ROOT certificate with which the verify should be performed.

openssl verify -CApath /etc/grid-security/certificates usercert.pem

openssl verify -CAfile /etc/grid-security/certificates/11b4a5a2.0 usercert.pem

Verifying a CRL

This example shows how to verify the authenticity of a CRL. You can enter the path for a directory containing all trusted CA ROOT certificates, or specify directly the CA ROOT certificate with which the verify should be performed.

openssl crl -noout -CApath /etc/grid-security/certificates -in usercert.pem

openssl crl -noout -CAfile /etc/grid-security/certificates/11b4a5a2.0 -in usercert.pem

Display the content of a certificate

This example shows how to display in text format the content of a certificate.

openssl x509 -text -noout -in usercert.pem

Display the content of a CRL

This example shows how to display in text format the content of a CRL.

openssl crl -text -noout -in /etc/grid-security/certificates/11b4a5a2.r0

Display the issuer and subject of a certificate

This example shows how to display in text format issuer and the subject DN.

openssl x509 -issuer -noout -in usercert.pem

openssl x509 -subject -noout -in usercert.pem

Changing the password of a private key

This example shows how to modify the password of a certificate private key. Once the password is successfully changed the newly created file containing the private key protected my the new password must be moved to the old userkey file. In any case the old file containing the private key should be removed. If the old private key was stored in a floppy disk then it should be physically destroyed.

cd ${HOME}/.globus
openssl rsa -in userkey.pem -des3 -out new-userkey.pem
mv new-userkey.pem userkey.pem

 

Copyright (c) 2007 LIP. Todos os direitos reservados.