Estimated reading time: 7 min

Certificate ManagementTo Top

 

Legal WarningTo Top

Specifications, details, statements, and information in this manual are subject to change without any notice. All the information provided, procedures shared, or statements listed below are for Tegsoft technical experts only. Using this manual without Tegsoft Technical qualification should be avoided. Tegsoft has no obligation over the result of the application on any use. Some statements may not be suitable for the use; avoiding without technical qualification may be crucial. Users must take full responsibility for performing any steps part of this manual. Users who are not aware of technical terms and operations described here; should be aware that this document may not be suitable for their usage.

 

Changes to This DocumentTo Top

Date Change Summary
2020-09-02 Initial release of the document.

 

 

 

PrefaceTo Top

This document explains how to manage and convert certificates. The preface for Certificate Management contains the following sections:

  • Certificate Verification
  • Converting Files
  • Common Errors

 

Obtaining DocumentationTo Top

Tegsoft documentation and additional literature are available on Tegsoft Knowledge Base. This section explains the product documentation resources that Tegsoft offers.

Tegsoft Knowledge Base

You can access the most current Tegsoft documentation at this URL:

https://tegsoft.com/knowledge-base/

 

PrerequisitesTo Top

  • You must have basic knowledge of networking
  • You must have basic knowledge of SSH connection
  • You must have basic skills of Linux Command Line Interface

 

 

Certificate To Top
openssl verify -verbose certificate.crt

 

certificate.crt: OU = Domain Control Validated, OU = Hosted by Doruk Bilisim Teknolojileri Ltd. Sti, OU = PositiveSSL Wildcard, CN = *.rumeli.edu.tr

error 20 at 0 depth lookup:unable to get local issuer certificate

 

Key VerificationTo Top
openssl rsa -noout -modulus -in certificate.key | openssl md5

 

Key - Certificate MatchingTo Top
openssl pkey -in certificate.key -pubout -outform pem | sha256sum
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum
openssl x509 -in certificate.crt -text -noout

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            a1:e0:4c:0f:d3:fa:2e:ae:e6:da:eb:61:66:76:02:f6

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

        Validity

            Not Before: Feb 14 00:00:00 2018 GMT

            Not After : Feb 14 23:59:59 2019 GMT

        Subject: OU=Domain Control Validated, OU=Hosted by Doruk Bilişim Teknolojileri Ltd. Sti, OU=PositiveSSL Wildcard, CN=*.rumeli.edu.tr

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:a8:32:f8:50:5d:6e:ea:08:3c:27:a8:32:ed:bb:

                    86:81:f6:86:5b:cc:4f:4d:21:c4:04:67:cd:46:8a:

                    ff:76:d2:9f:b6:da:16:af:be:e3:89:a4:54:9c:ef:

                    97:a8:03:17:c9:1f:94:fe:a3:37:03:ff:b9:95:f0:

                    fd:1c:d8:77:a7:70:18:01:dd:38:1b:29:cb:b1:2c:

                    7d:5b:82:81:ae:85:33:99:67:c5:ac:9b:53:eb:fe:

                    9d:ea:ef:3f:bd:35:42:dc:5c:d4:56:ee:c9:8c:f5:

                    43:b0:89:e6:af:5f:52:83:22:54:de:86:5d:0a:d5:

                    e1:55:0b:e3:b8:01:9d:30:9e:ac:69:74:d4:e5:9b:

                    cc:a9:d1:5e:67:b6:da:91:41:e5:a3:59:29:4d:e6:

                    bf:b2:05:9a:2b:12:7c:c3:30:ed:e4:29:2d:10:72:

                    01:88:7a:99:c4:9d:fc:e3:92:b7:4c:c1:34:13:1c:

                    1d:43:47:73:87:d5:f9:77:bf:55:cb:60:65:5c:5e:

                    46:ab:5b:b2:bd:71:56:6c:0c:c6:0d:6e:46:de:bb:

                    9e:44:57:1a:72:57:e4:1a:90:5b:35:eb:40:3a:a0:

                    bd:85:18:f9:6b:71:1a:43:45:b0:29:e8:cb:b3:c2:

                    17:9e:17:00:c0:66:f8:8e:c0:91:b4:2c:c1:52:c5:

                    92:69

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Authority Key Identifier: 

                keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

 

            X509v3 Subject Key Identifier: 

                18:7E:41:D5:6B:95:26:76:EC:EB:5A:7C:0D:59:49:9F:A7:AE:7C:23

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Extended Key Usage: 

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 Certificate Policies: 

                Policy: 1.3.6.1.4.1.6449.1.2.2.7

                  CPS: https://secure.comodo.com/CPS

                Policy: 2.23.140.1.2.1

 

            X509v3 CRL Distribution Points: 

 

                Full Name:

                  URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

 

            Authority Information Access: 

                CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

                OCSP - URI:http://ocsp.comodoca.com

 

            X509v3 Subject Alternative Name: 

                DNS:*.rumeli.edu.tr, DNS:rumeli.edu.tr

    Signature Algorithm: sha256WithRSAEncryption

         04:57:6f:bf:3d:8d:ff:89:4b:98:0c:94:6d:9e:2e:3c:e1:6a:

         54:48:3c:1a:fd:11:14:d9:c9:bb:8c:09:29:f0:4d:a6:f8:15:

         90:31:1a:94:ed:ea:af:d5:df:b3:36:d7:8a:25:46:11:60:02:

         13:ae:54:73:3b:be:3f:0a:96:a6:80:44:72:17:3b:63:9e:5e:

         47:89:7f:32:6e:a6:60:eb:3c:75:e9:6c:a8:66:5c:34:57:3a:

         11:4a:15:f5:68:94:7e:e5:ee:b5:b5:3b:fe:59:7a:81:41:6d:

         7e:38:9b:a1:0f:35:5a:cf:07:2d:ff:bc:2c:02:e0:db:b6:be:

         31:ac:47:e0:9e:b8:de:15:63:15:d5:d1:ec:43:c0:91:23:aa:

         a7:19:cf:a2:ac:a2:8f:22:77:5a:68:e0:f9:83:c4:72:dc:4f:

         12:47:ab:44:e7:dc:41:22:cf:1a:59:6f:83:98:56:35:bf:58:

         cd:eb:ec:92:03:ce:35:65:f3:03:dd:b0:29:b4:6b:25:11:b1:

         0b:e0:6b:e0:9f:f2:41:9f:f0:45:c5:b8:76:db:12:a2:a2:a1:

         6d:75:d7:89:77:78:fc:ce:d8:24:10:f3:a2:a9:6c:b9:d3:46:

         ea:b6:f2:f0:97:7c:94:1b:36:18:74:68:c5:2e:6d:4b:91:91:

         92:47:a8:d5

 

Converting FilesTo Top

 

Converting PFX to KEY FileTo Top

Two steps;

openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out certificate.crt

Enter Import Password:ENTER_PASSWORD

MAC verified OK

openssl pkcs12 -in yourfile.pfx -nocerts -out certificate-tmp.key


Enter Import Password:ENTER_PASSWORD

MAC verified OK

 

Enter PEM pass phrase:tegsoft123

Verifying - Enter PEM pass phrase:tegsoft123

 

openssl rsa -in certificate-tmp.key -out certificate.key


Enter pass phrase for certificate-tmp.key:tegsoft123

writing RSA key


Converting CRT to PFX File
openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -certfile bundle.crt


 

Converting KEY to 8 Bit KEY FileTo Top
openssl pkcs8 -topk8 -inform PEM -outform DER -in certificate.key -nocrypt > certificate8.key

 

Converting CER to PEM FileTo Top
openssl x509 -inform der -in certificate.cer -out certificate.pem

 

Converting CRT to PEM FileTo Top
openssl x509 -in certificate.crt -out certificate.pem -outform PEM

 

Common ErrorsTo Top


Overriding default certificate files
When using /certificates folder and certificate.XXX files Tegsoft will override those files when booting. It is important to run below command to disable Tegsoft certificate overriding.

echo 1 > /root/custom_certificates