Encryption: Technical Information

Creating self-signed certificates for testing purposes

Use OpenSSL to create self-signed certificates in the following manner:

  • Create a self-signed certificate containing a certificate and a private key. You will be prompted to enter some information like state, company name, etc.
  • The “common name” is essential for this step. This can be the FQDN or the machine NetBIOS name.
Creating a x509 certificate and privatekey pair (base64) encrypted

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.pem -out server.pem -sha256

openssl dhparam -2 -outform PEM -out dh2048.pem 2048

Adding a certificate to a keystore

keytool.exe -import -trustcacerts -keystore keystore -alias tomcat -file server.pem

Converting a PKCS12 package into a server.pem for Jedox

A PKCS12 contains certificates + root chain + root certificate and the privatekey (if selected in the extract).

PKCS12 unpack

openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pem
openssl pkcs12 -in cert.p12 -cacerts -nokeys -out root.pem
openssl pkcs12 -in cert.p12 -nocerts -out private-key.pem

PRIVATEKEY remove password (only if privatekey is encoded with a password)

openssl rsa -in private-key.pem -out priv.key

SERVER.PEM creation on Linux

cat cert.pem > server.pem
cat priv.key >>server.pem
cat root.pem >>server.pem

SERVER.PEM creation on Windows

copy cert.pem+priv.key+root.pem server.pem

Converting a PKCS7 package into a server.pem for Jedox

A PKCS7 contains certificates + root chain + root certificate (if selected in the extract).

PKCS7 unpack

openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs > certificate_bundle.cer

Create server.pem
  • Create new file and name it server.pem
  • Copy content of certificate_bundle.cer and your privatekey (not part of the PKCS7 bundle) into the server.pem file.
Checking whether the private key matches the certificate

Use the command below to view the modulus of the certificate:

openssl x509 -noout -modulus -in cert.pem | openssl md5

The modulus looks something like this: a77c7953ea5283056a0c9ad75b274b96

Next, use the following command to view the modulus of the private key:

openssl rsa -noout -modulus -in priv.key | openssl md5

This modulus of the private key should be identical to the modulus of the certificate.