openSSL question

RedDevil · n00b Joined: 07 May 2004 Posts: 14

I want to ask what is the OpenSSL command that you used to prepare the message for transmission? I'm still new to OpenSSL. Thanks

kpack · Tux's lil' helper Joined: 29 Mar 2004 Posts: 137

What are you trying to accomplish?

RedDevil · n00b Joined: 07 May 2004 Posts: 14

what i want to accomplish is to send a confidential msg to some one that i have created in a file. i want the use the OpenSSL SMIME commands to prepare the msg for transmission to some one but don't really know how to use the command. can some one help me.

How do i use the openssl to import my certificate and the receriver's certificate? Do i need the Issuer's certificate to do this? Thanks!

RedDevil · n00b Joined: 07 May 2004 Posts: 14

another question about openssl.

Let's say that the person have received my msg and want to verifies the integrity and authenticity of a message from me. what is the OpenSSL SMIME commands to check the integrity and authenticity of the message i've just sent. thanks again!

kpack · Tux's lil' helper Joined: 29 Mar 2004 Posts: 137

If you're talking about encrypting email messages using Linux or opensource email clients on Windows like Thunderbird, the standard way is using public key encryption. If you're using gnupg, just generate a key pair using

gpg --gen-key

Read your email client documentation on how to use GPG for encryption. In kmail, for instance, you go to the Identities tab, click the Modify button, go to the Advanced tab and select the correct PGP key. Once you have a PGP key selected, you can click an icon in the composer window to sign or encrypt a message.

The next step is to make sure whoever you want to send encrypted/signed mail to also has gpg installed and a gpg compatible mail client like kmail, or Evolution or Mozilla Thunderbird (with the enigmail extension). Then exchange public gpg keys with that person. You can email the keys to each other, or post them on your web page, or send them to a public key server.

When you get their public key, add it to your gnupg key ring. If you want to send anybody encrypted mail, you need their public key. You also need their public key if you want to verify any signed mail they send you. They need your public key to encrypt mail to you or to verify signed mail you send them.

Alternatively, you can encrypt mail using gpg symmetric ciphers and send it as a text file attachment. Then the person receiving it just needs to have gpg installed, and know the passphrase you used to encrypt the message. If you both have compatible email clients, just use public key encryption.

RedDevil · n00b Joined: 07 May 2004 Posts: 14

kpack, can openssl uses gpg command? What you wrote was in gpg command. What i want is to use openSSL commands to encrypt a msg using smime. Correct me if i'm wrong. thanks!

kpack · Tux's lil' helper Joined: 29 Mar 2004 Posts: 137

Check the following link, in particular, section 5.1.1

http://www.ripe.net/ripencc/pub-services/db/mail_client_tests.html

RedDevil · n00b Joined: 07 May 2004 Posts: 14

I still cant get the right answer. My certificates are all in .cer extension. Do i need to change it to .pem format? I'm really lost now. How do i import .cer files in ssl? Can't encrypt the msg i want now. :( Help needed very badly!

mc_hammer · Posted: Thu May 13, 2004 3:39 am Post subject:

I created myself a certificate to use smime in Netscape's mail client a while back. Here's the notes I made at the time:

# General steps
# 1. create Certificate Authority
# 2. create private key
# 3. create certificate request using our CA's orginization name
# 4. sign certificate request, creating cert
# 5. generate a PKCS#12 file for use in email client (Netscape)
# 6. install cert.p12 in your browser/email client

# Create Certificate Authority
/usr/share/ssl/misc/CA -newca

# Create private key
openssl genrsa -out privkey.pem 2048

# Create certificate request. NOTE: org name must be CA's org name from step 1
openssl req -new -key privkey.pem -out cert.csr

# Sign certificate request, creating cert
openssl ca -in cert.csr -out cert.pem

# Generate a PKCS#12 file for use in email client (Netscape)
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert.p12 -name "Dan's Homemade"

# Open Netscape Mail
# Click "Edit" -> "Preferences..."
# Under "Privacy & Security" -> "Certificates", click the "Manage Certificates" button
# Click the "Import" button
# Select the file "cert.p12" created in step 5 and click the "Open" button
# Now you are back to the "Certificate Manager" window
# Click the "Authorities" tab
# Click the "Import" button
# Select the CA's certificate created in step 1 (should be ./demoCA/cacert.pem)
# Click the "Open" button
# Close the "Certificate Manager" window
#
# Click "Edit" -> "Mail & Newsgroups Account Settings..."
# Under "your email address" -> Security
# Check "Digitally sign messages (by default)"
# Select cert to sign with
# Check "Required (can't send messages unless all recipients have certificates)"
# Select cert to encrypt with
# Click the "OK" button

# References
#
# Manual Pages
# ca(1), genrsa(1), pkcs12(1), req(1)
#
# OpenSSL. 2003. HOWTO's
# http://www.openssl.org/docs/HOWTO/certificates.txt
# http://www.openssl.org/docs/HOWTO/keys.txt
#
# Robert Bernier. 2003. Encrypted Email Cookbook
# http://linux.oreillynet.com/pub/a/linux/2003/09/04/email_pki.html?page=2

Hope all that helps.

Dan

axses · Tux's lil' helper Joined: 18 Mar 2003 Posts: 110

Hello

Here is a link to what you are looking for. It describes on how to use openssl to sign .cer requests for IIS for example. The link uses a windows version of openssl. Just use the commands. I have gotten it working and use my own CA to sign IIS requests. If you have problems getting it running , just shout.

http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

Also download the openssl.conf to your /etc/ssl directory .