Creating TLS Certificates

Supported Certificate Types

The ProSBC supports the following certificate private keys:

RSA
ECDSA, starting from ProSBC version 3.3.5

Installing a custom private key and local certificate on ProSBC

See WEB Portal configuration documentation

Use ProSBC (or Linux) shell to manipulate certificates

You can use ProSBC's shell (or most Linux hosts' shell as long as OpenSSL is installed) to create and view private keys, certificates and CSRs (certificate signing requests).

Create new private key

 openssl genrsa -out MY_PRIVATE_KEY.pem 2048

You will be prompted to enter a pass phrase:

 Generating RSA private key, 2048 bit long modulus
 .....................+++
 ..............................+++
 e is 65537 (0x10001)
 Enter pass phrase for MY_PRIVATE_KEY.pem:
 Verifying - Enter pass phrase for MY_PRIVATE_KEY.pem:

Resulting file:

 -rw-r--r-- 1 root root 1704 Mar 14 09:15 MY_PRIVATE_KEY.pem

Create a self-signed certificate from a private key

 openssl req -x509 -sha256 -nodes -days 365 -key MY_PRIVATE_KEY.pem -out MY_CERTIFICATE.crt

You will be prompted to answer questions regarding the certificate:

 Generating a 2048 bit RSA private key
 .........................................................+++
 ........................................................................................................................................................................................+++
 writing new private key to 'MY_PRIVATE_KEY.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CA
 State or Province Name (full name) []:Quebec
 Locality Name (eg, city) [Default City]:Boucherville
 Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your name or your server's hostname) []:MySBC
 Email Address []:[email protected]

Resulting files:

 -rw-r--r-- 1 root root 1415 Mar 14 09:15 MY_CERTIFICATE.crt
 -rw-r--r-- 1 root root 1751 Mar 14 09:14 MY_PRIVATE_KEY.pem

Create a CSR (certificate signing request) from a private key

 openssl req -new -newkey rsa:2048 -nodes -keyout my_local_cert.key -out MY_CSR.csr

You will be prompted to answer questions regarding the certificate:

 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CA
 State or Province Name (full name) []:Quebec
 Locality Name (eg, city) [Default City]:Boucherville
 Organization Name (eg, company) [Default Company Ltd]:TelcoBridges
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your name or your server's hostname) []:MySBC
 Email Address []:[email protected]
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:my_password
 An optional company name []:TelcoBridges

Resulting files:

 -rw-r--r-- 1 root root 1127 Mar 14 09:20 MY_CSR.csr

View the contents of the certificate

 openssl x509 -noout -text -in MY_CERTIFICATE.crt

Resulting output:

 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             f3:fc:c5:72:ea:a9:50:a6
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/[email protected]
         Validity
             Not Before: Mar 14 13:15:53 2019 GMT
             Not After : Mar 13 13:15:53 2020 GMT
         Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/[email protected]
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
                     00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
                     f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
                     ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
                     e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
                     82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
                     68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
                     9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
                     9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
                     3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
                     20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
                     87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
                     24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
                     98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
                     cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
                     8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
                     d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
                     f5:1d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
             X509v3 Authority Key Identifier:
                 keyid:9C:DA:43:3C:BC:E6:B1:8B:E7:B4:1C:AB:39:14:66:72:F5:C2:D6:25
 
             X509v3 Basic Constraints:
                 CA:TRUE
     Signature Algorithm: sha256WithRSAEncryption
          4c:96:41:e8:ff:d8:79:e0:db:22:ec:a2:10:1b:c0:88:f3:83:
          60:b1:2d:91:06:15:a4:96:4a:9a:fb:3c:39:a4:48:04:a9:55:
          1b:b5:c2:c8:08:e0:70:d7:03:c5:e1:1d:f7:0c:3d:38:49:aa:
          9b:85:1f:d2:6b:61:f5:10:9a:c7:0a:ff:34:a4:e9:d5:0b:cd:
          2a:90:84:07:ac:74:7f:d9:e1:dd:33:dd:ae:8c:5a:61:ec:20:
          d3:6e:7c:e5:be:46:94:b4:bc:da:54:80:12:28:5b:12:80:a1:
          ad:86:6a:f9:dc:1f:f8:a5:cb:ab:2a:30:5d:f8:19:9f:e8:82:
          9b:32:b7:cc:d5:f9:7d:3b:35:51:8b:a5:39:e3:71:84:37:09:
          20:e0:d9:6c:6f:37:76:49:3a:01:ea:ce:8b:71:74:fe:29:2c:
          84:3d:3b:9e:6c:50:64:53:36:90:6e:49:ce:40:fd:80:c7:25:
          31:d5:49:42:0f:c7:37:9a:9e:99:6b:37:3e:9a:71:a7:a2:87:
          19:1d:a3:44:48:b8:c3:65:c1:55:b2:0c:57:e8:0f:a6:f2:a5:
          b4:d3:50:04:fe:fd:86:2c:c2:0a:c2:20:aa:81:26:48:34:3a:
          3d:a6:2e:1b:eb:d7:b9:f1:a2:ad:7a:42:37:81:63:02:ac:3b:
          e6:01:6b:10

View the signing request of a certificate (CSR)

 openssl req -text -noout -verify -in MY_CSR.csr

Resulting output:

 verify OK
 Certificate Request:
     Data:
         Version: 0 (0x0)
         Subject: C=CA, ST=Quebec, L=Boucherville, O=TelcoBridges, CN=MySBC/[email protected]
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:dc:38:85:9f:75:ce:cf:7c:3b:60:20:11:d1:47:
                     00:39:6e:10:5c:3b:72:6e:26:09:70:7a:df:14:b3:
                     f4:60:fb:0d:73:69:a9:4c:4f:a0:34:12:83:1a:9b:
                     ce:f0:61:59:bd:f1:fb:a3:cb:84:be:a5:3b:86:e5:
                     e0:66:82:53:fd:69:c3:f1:cf:85:73:2d:30:a9:a5:
                     82:4e:e2:0f:20:de:88:9d:7a:42:d3:19:7b:09:08:
                     68:75:c4:36:46:23:f2:c6:05:49:e6:79:06:ce:f8:
                     9f:66:11:ad:e3:41:6c:f5:cb:df:3a:a4:77:a3:b3:
                     9b:55:f4:fc:5a:5a:c1:ae:c5:5d:0b:de:b1:1a:bc:
                     3d:02:b9:0c:5d:d8:57:33:66:b2:a8:c0:c2:74:16:
                     20:32:63:0f:8b:8f:aa:f4:aa:bc:8a:12:1b:54:e1:
                     87:c7:10:79:ea:1d:f3:e2:4b:b3:b5:70:d5:ec:27:
                     24:d3:f2:37:20:7e:f7:2c:69:21:63:50:4a:fe:a2:
                     98:4f:bc:c8:4b:3c:74:68:95:8e:0a:0b:42:39:d3:
                     cb:88:1d:55:c1:e1:61:f3:b0:64:42:6f:ec:c5:6f:
                     8f:f8:1c:a8:d9:5b:fc:d7:54:91:3b:0a:c4:1a:82:
                     d1:96:11:ca:16:b8:44:f0:48:3a:1e:e4:78:d0:14:
                     f5:1d
                 Exponent: 65537 (0x10001)
         Attributes:
             challengePassword        :my_password
             unstructuredName         :TelcoBridges
     Signature Algorithm: sha256WithRSAEncryption
          85:98:17:25:45:42:f6:44:f0:51:ca:42:32:92:e6:0e:a6:9d:
          59:73:1c:82:c6:9b:c1:b7:17:00:77:f3:42:52:86:d6:08:a8:
          30:99:02:41:c6:c2:22:b2:98:b9:f7:83:b9:b0:ab:5b:59:95:
          9c:32:3b:9b:15:1c:4c:90:d1:bb:cf:fb:85:c4:5d:df:df:9e:
          18:1b:f8:5b:b5:68:60:0f:d8:c6:5d:29:0c:54:b3:63:88:0c:
          05:59:34:ad:c0:11:5b:e9:fb:e8:8c:c1:b5:5f:83:60:78:05:
          b7:7e:66:d7:1a:59:5a:2e:b3:9c:c2:38:68:29:bf:44:51:da:
          c9:2b:c3:f1:47:3c:d4:ce:4a:b2:8f:7d:6a:72:46:13:a8:97:
          18:7e:bf:b0:33:14:ee:61:ed:94:c6:c0:19:92:14:2d:a0:8c:
          b1:a2:c1:61:40:62:90:7c:64:09:52:ec:b6:fd:cb:fe:56:3f:
          6e:de:e3:38:93:ee:e4:26:33:59:6c:3f:4f:36:87:de:96:4d:
          c4:bd:ce:35:b2:79:16:38:f5:84:c8:ce:4a:27:11:6b:4b:0d:
          9b:9f:dd:63:87:ca:23:12:8c:64:3b:c7:f0:46:e8:bd:e0:e7:
          35:9d:b9:fb:aa:60:e2:48:8f:9b:6b:fb:69:2f:a5:7c:94:5a:
          70:4d:a6:d1

Check that a certificate and a CSR match the private key

 openssl x509 -noout -modulus -in MY_CERTIFICATE.crt | openssl md5
 openssl rsa -noout -modulus -in MY_PRIVATE_KEY.pem | openssl md5
 openssl req -noout -modulus -in MY_CSR.csr | openssl md5

All 3 commands should display the same MD5 hash:

 (stdin)= 41c46eddc15580673fe4adb8f5255634

PreviousTLS/SRTP NextAdding TLS Certificates

Last updated 2 months ago

Was this helpful?