OpenSSL is a leading open-source SSL solution that offers many features; from client and server communication, to certificates generation and self-signing. The OpenSSL allows a user to issue CA certificates and use them to sign other certificates for both testing and production scenarios. Visit OpenSSL website: https://www.openssl.org/
Diffie Hellman is one of the most common and known key exchange algorithms. When two parties, which have no prior knowledge, want to communicate in a secure way and use asymmetric encryption they first need to perform cryptographic key exchange. The process involves information that passes in clear text through an insecure channel (such as the internet), producing a shared secret and then secure communication is established.
For more information: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Elliptic curve cryptography is based on the algebraic structure of elliptic curves over finite fields for more information:
The two algorithms can work together: The elliptic curve Diffie–Hellman (ECDH) key agreement scheme is based on the Diffie–Hellman scheme.
OpenSSL and Diffie Hellman
Some of the OpenSSL processes require Diffie Hellman for key exchange.
Generating the prime number (‘p’) and the primitive root (‘g’) for each exchange takes time so in some cases, the OpenSSL enables the extraction from a certificate.
However, Diffie Hellman doesn’t offer certificate signing so the process seems rather difficult.
Here is a clean way to produce the certificates and the parameters:
Optional – Create Root authority
Create root Key
openssl genrsa -out AppSecTestCA.key 4098
Create root key with AES
openssl genrsa -out AppSecTestCA.key 4098 –aes
Create SelfSigned RootCa
openssl req -x509 -new -nodes -key AppSecTestCA.key -days 4098 -out AppSecTestCA.pem
- OpenSSL will prompt for information about the certificate
Generating DH certificates
Generating DH params
openssl dhparam -out AppSecTestdhParam.pem 4098
- Note that this takes some time
openssl genpkey -paramfile AppSecTestdhParam.pem -out AppSecTestdhkey.pem
Create the public key
openssl pkey -in AppSecTestdhkey.pem -pubout -out AppSecTestpubkey.pem
Create CSR file
openssl genrsa -out AppSecTestrsakey.pem 4098
openssl req -new –key AppSecTestrsakey.pem -out AppSecTestrsa.csr
Generating the DH cert from the RSA CSR and the DH public key
openssl x509 -req -in AppSecTestrsa.csr -CAkey AppSecTestCA.key -CA AppSecTestCA.pem -force_pubkey AppSecTest.pem -out AppSecTestdhcert.pem -CAcreateserial
- force_pubkey is only available in an OpenSSL vesion 1.0.2 and above
Generating Elliptic Curve CA
Listing Elliptic Curve Ciphers
openssl ecparam –list_curves
Create a Self-Signed CA certificate
This example uses sec283k1, a NIST/SECG standard curve over a 283 bit binary field
openssl ecparam -out AppSecECCAKey.key -name sect283k1 -genkey
openssl req -x509 -new -key AppSecECCAKey.key -out AppSecECCA.pem -outform PEM -days 3650
Create a private key and a request for the EC certificate
openssl ecparam -out AppSecECKey.key -name sect283k1 -genkey
openssl req -new -nodes -key AppSecECKey.key -outform pem -out AppSecECRequest.req
Generating the EC signed certificate from the AppSecECRequest request in the local directory
openssl ca -keyfile AppSecECKey.key -cert AppSecECCA.pem -in AppSecECRequest.req -out AppSecECCert.pem –outdir .
I hope this was helpful!
Creating CA Certificates: http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
EC Certificates: http://this.is.thoughtcrime.org.nz/elliptic-curve-ca-guide