Gerando Chaves
Uma das ferramentas mais utilizadas para gerar chaves é a OpenSSL. Existem outras ferramentas, inclusive online, como o gerador de chaves dos sites www.ssl.com, CSR Generator, dentre outras.
OpenSSL é uma ferramenta de linha de comando de código-fonte aberto comumente usada para gerar chaves privadas, criar CSRs, instalar seu certificado SSL/TLS e identificar informações de certificado. Por ser uma ferramenta de linha de comando, permite ao usuário utilizá-la em um ambiente cuja segurança pode controlar, visto que a chave privada deve ser mantida em secredo.
A sintaxe geral para chamar o openssl é a seguinte:
$ openssl command [ command_options ] [ command_arguments ]Para criar uma nova chave privada e um pedido de assinatura de certificado, utilize o OpenSSL com os seguintes comandos e argumentos:
$ openssl req -out mydomain.csr -new -newkey rsa:2048 -nodes -keyout mydomain.key- req
- Cria e processa solicitações de certificado.
- -out outfile
- Especifica o nome do arquivo (outfile) no qual será salvo a requisição de certificado digital (Certificate Signing Request - CSR). O CSR deve ser enviado para uma autoridade certificadora (CA) para que ela gere o certificado digiral (CRT).
- -new
- Nova requisição.
- -newkey val
- Especifica o tamanho (val) da nova chave em bits. Se "val" for substituído por rsa:2048, a criptografia será do tipo RSA e o tamanho da nova chave será de 2048 bits.
- -nodes
- Não criptografa a chave gerada.
- -keyout outfile
- Nome do arquivo (outfile) no qual será salva a nova chave privada.
Durante a criação das chaves surgirão algumas perguntas, conforme exemplificado a seguir. Alguns podem ser deixados em branco, basta pressionar <ENTER>. Porém, informações como pais (duas letras), estado, cidade, email e domínio ou nome do dono do certificado no campo (Common Name), servem para identificar quem está solicitando o certificado. A informação (Common Name) irá fazer parte do certificado gerado pela autoridade certificadora.
ubuntu@ip-172-31-4-230:~$ openssl req -out mydomain.csr -new -newkey rsa:2048 -nodes -keyout mydomain.key
Generating a RSA private key
...............................................+++++
...................+++++
writing new private key to 'mydomain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BR
State or Province Name (full name) [Some-State]:minas gerais
Locality Name (eg, city) []:uberlandia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:engenharia ltda
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.mydomain.com.br
Email Address []:luisa@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Para verificar se a CSR foi gerada corretamente:
Para verificar se a requisição de certificado digital foi gerada de acordo com as espeficicações desejadas, utilize o comando:
$ openssl req -noout -text -in mydomain.csrExemplo de pedido de certificado digital (CSR):
ubuntu@ip-172-31-4-230:~$ openssl req -noout -text -in mydomain.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = BR, ST = minas gerais, L = uberlandia, O = engenharia ltda, CN = www.mydomain.com.br, emailAddress = luisa@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ee:f7:cd:6c:93:25:c7:f2:97:2a:b4:cd:99:3b:
da:2c:1f:82:93:66:a9:e0:1b:2f:e1:8e:c1:59:53:
26:2e:e9:2b:a0:02:0c:a8:6b:48:17:29:f3:65:ab:
77:35:5f:42:ad:41:0a:c4:ba:89:0b:de:47:51:da:
ba:42:b6:5e:d4:56:fa:a3:77:3b:18:96:8c:be:66:
c4:b1:2d:54:2f:df:fb:48:18:be:3b:ac:81:75:51:
98:51:0a:35:cc:c9:72:9a:0d:fc:c5:2d:dd:24:de:
6b:3b:cc:7e:81:51:8f:45:9a:53:bc:3f:17:45:83:
27:9a:55:59:0f:f1:9d:0d:80:6f:0a:46:63:70:55:
0e:bf:a4:be:23:37:e4:63:9c:63:f8:85:b6:56:3b:
8f:8a:12:4a:e4:de:a7:f2:9f:d7:19:34:25:95:53:
a1:70:96:17:be:9d:3a:8f:0a:42:e5:2e:d4:83:f9:
98:46:2d:f4:cb:45:b0:08:74:89:e5:f0:d4:7f:de:
1c:eb:aa:55:95:11:3f:4f:02:4c:ee:fe:6f:fe:54:
97:75:6a:8c:7a:e7:57:ee:4e:10:4d:15:32:e9:db:
45:96:53:e9:d1:00:a6:24:a7:82:15:3f:82:1f:93:
ce:3d:cd:97:99:ac:a9:6f:9e:70:43:dc:39:81:48:
6d:e9
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
00:de:47:1d:46:34:d9:a4:11:88:74:4f:fc:4e:26:85:f3:bb:
bf:22:ca:62:17:ce:cb:0a:5c:ed:ed:3a:8a:92:ef:bb:83:87:
97:2a:8a:25:7e:01:13:87:c8:28:82:4c:0b:36:00:fc:51:da:
11:ee:2b:15:dc:1e:20:be:7b:a0:ec:47:ae:78:98:8d:5c:34:
bf:08:6c:29:3f:01:0b:2a:f0:4e:d9:d5:0a:19:75:79:4f:e6:
f5:e9:fd:74:99:56:41:7d:0f:ed:99:7d:d0:99:54:a4:ce:ce:
98:d2:59:6d:29:e2:3d:23:df:5b:eb:b3:0a:e0:d1:03:ce:d2:
11:54:65:8a:8c:fb:c6:a8:57:84:ee:6f:67:f8:df:b0:6d:bd:
7a:a1:49:e1:cb:5a:04:ab:1c:71:87:c1:7d:8b:2b:79:40:b2:
1e:e6:94:d7:ae:f3:cd:24:d6:10:c3:ab:b1:73:62:91:74:b7:
aa:b5:80:bf:b1:e6:6b:4e:22:d0:e3:ea:cf:fd:62:d9:75:2f:
a6:3f:be:ec:0d:08:e5:f3:28:e1:8d:b6:39:5b:70:41:94:ec:
e8:b3:8f:6a:37:e9:8f:9f:d4:71:c2:50:1e:e3:46:98:ca:92:
f9:fe:7e:1f:bf:91:bf:c5:84:ed:ec:ac:40:b1:62:43:2f:a7:
03:6f:96:29
Para verificar se a chave privada foi gerada corretamente:
$ openssl rsa -in mydomain.key -checkExemplo de chave privada:
openssl rsa -in mydomain.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA7vfNbJMlx/KXKrTNmTvaLB+Ck2ap4Bsv4Y7BWVMmLukroAIM
qGtIFynzZat3NV9CrUEKxLqJC95HUdq6QrZe1Fb6o3c7GJaMvmbEsS1UL9/7SBi+
O6yBdVGYUQo1zMlymg38xS3dJN5rO8x+gVGPRZpTvD8XRYMnmlVZD/GdDYBvCkZj
cFUOv6S+IzfkY5xj+IW2VjuPihJK5N6n8p/XGTQllVOhcJYXvp06jwpC5S7Ug/mY
Ri30y0WwCHSJ5fDUf94c66pVlRE/TwJM7v5v/lSXdWqMeudX7k4QTRUy6dtFllPp
0QCmJKeCFT+CH5POPc2Xmaypb55wQ9w5gUht6QIDAQABAoIBAA82XzFmPKV53/2r
/NqgYMcmSl2vz2ig0m99cvmIvYmG9mv9NWkTS0eOOBxkyfXv1oLI/TKA3XCP+eJQ
FkNg8LB7yQDW+kAadWM5j5Pn2tAhZhG04YdS9/rL8vJVwA8FU/JSqaCzxrwuHI11
+yeoVYKMzH/TVFvseXztqfnF28WcI/e6wPkap8MeV2aepmn0HrYb7yWQsiBfSVqb
Nbe4yDRk0Ejk8LGjGIRC/j/+d35cuzD9SVBtEHHB4yArXWxH4siX/PNtpoq4Itb4
0sAoZIT4Ct1FAEm9kHeB7TYJI1DqtS4BOitwPcE0s9zN3OCRa8OY6MkMN1NZQ2oM
bfpawzECgYEA+HZTYdTp2IJS9+gRgh0qi+AuGIKgsl9EgkDGkp0jEc4q6ok57XIv
Dfw8wm+IdBiLJrpsG/gstQF1Ensb7BbUDTFMyo2oNB7NdvVi/ylETcjwxdt6QTnZ
cwxPLrdrEaoN4tJKPY/EZJaAHkqlUY1S/UK6p1B3vDWd2xWGJJ3GpPsCgYEA9je9
dLrb0X918htckGHHdsMCnX03uQVozLKKcPNmr2BTzfbqubnvnon0UaZ1Uk62PMbS
zi20nd3MY4AvSKk7wxranYJrjTCjqAGHJPfZwSyE9tQeGMT9jygL2IFk1MocC5a6
Yhbe6dejB2lMxWhi6bVTd6bn1XHtg40Wgm6hG2sCgYB35GEH7D2LBBgVGB6asog9
Rsf3e9EfQWlFkQxA4yJxDRMYaW9SbK7YCMco67jkjJNY9MwGExM/pJxhdpZarglU
9F0hwIlR3Ss4I+DJT5huEHBeiTHNF6UeJupumINJ2s0ojmDUo/MYtqbL9yke2Rsa
qoB3DBU69IRfm1tHf/rC0QKBgD3BoV2D+NrFM5o0TrVQMS2SoDdMTwuzVaPyLFNE
Wb8nVB3XDuzivD1xsLxCGi842vDHldxtDl6CYV+bqUB6Yij/tVHIgp15U7MyHumg
2RdgyUD310yzLD4Z906otdfBkeM+PSWZQvQ4SAX13XGuSxD/kB302TVqS/6xBrJU
eUhdAoGABTf3dJ6g/qWFW/Dl5L0ooHikcXTvGnfnzdd1onH2rf8J5e0jGnOYzheu
TrRhKxrKbDZ1xDCkqE4gXuCKk/LGG/LWEjZokfN9Z1ovJtGZ3pR4/Zw1uovMweKa
5OjRA2vE4NiTHjRwbsvfBZ62Cddx2vJGaEuLfFUcCTACT0Bgl5E=
-----END RSA PRIVATE KEY-----
Para verificar um certificado:
$ openssl x509 -in mydomain.crt -text -nooutExemplo de Certificado (CRT):
ubuntu@ip-172-31-4-230:~$ openssl x509 -in mydomain.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
75:4d:b6:8f:21:77:fb:08:8e:c1:9f:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
Validity
Not Before: Jan 18 18:43:20 2021 GMT
Not After : Feb 19 18:43:20 2022 GMT
Subject: CN = www.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:f7:68:22:2f:2b:47:23:5c:03:71:88:64:c2:
ce:2f:93:91:37:eb:b8:28:17:1d:fe:99:5f:1d:3b:
03:6d:31:63:d6:f4:b4:bc:56:2d:e2:be:1f:75:01:
81:47:91:3d:d8:45:24:ef:5f:c8:5e:0a:08:88:6f:
e2:17:c8:20:a4:30:cd:8e:4d:e4:5b:35:ce:f3:b1:
6a:2c:0b:05:9f:b4:c8:25:b3:f4:3f:98:5b:3d:87:
b2:e4:53:64:be:a6:e2:cc:b2:04:3f:1e:cc:0b:15:
30:7f:69:f1:d6:22:9b:2c:14:bf:09:e2:bb:61:d8:
62:54:1d:d9:44:ea:b8:63:e9:03:b8:53:e8:36:a2:
36:13:da:b9:ef:c8:c8:e7:2b:89:22:0d:51:1e:e8:
96:c9:db:76:43:04:e8:cb:4b:5c:44:ee:f5:8c:ec:
68:43:09:b3:d1:85:a9:b8:e8:0e:1f:54:80:2a:27:
55:2f:91:5d:b2:94:21:f2:a0:f8:05:e5:b6:e0:ba:
8e:da:d9:04:4e:73:60:60:4d:88:38:3e:72:65:74:
b3:6c:b2:fd:5e:3a:0a:7d:76:9a:1e:3b:7f:56:a3:
2f:96:37:32:72:76:55:70:f2:d1:21:a8:30:a5:7b:
04:e4:4e:c1:16:1e:72:09:55:2e:4c:23:5f:ab:d2:
a9:b2
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Authority Information Access:
CA Issuers - URI:http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsalphasha2g2
X509v3 Certificate Policies:
Policy: 1.3.6.1.3.1.4146.2.10.10
CPS: https://www.globalsign.com/repository/
Policy: 2.21.143.1.2.1
X509v3 Basic Constraints:
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl2.alphassl.com/gs/gsalphasha2g2.crl
X509v3 Subject Alternative Name:
DNS:www.sirius.guru, DNS:sirius.guru
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:F5:CF:D5:3C:08:52:F9:6A:4F:3D:B7:97:DA:51:83:E6:69:D2:68:F7
X509v3 Subject Key Identifier:
3F:C3:6F:C2:8B:3F:91:8C:3B:C1:DB:7F:D6:D4:3C:81:6F:82:B4:35
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 6F:53:76:AD:32:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:04:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : Jan 18 12:43:25.622 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:41:F5:D4:D1:ED:8A:FF:34:61:53:DE:3E:
E4:7F:66:28:C6:FD:A3:7C:8E:E5:09:96:93:D7:C4:46:
A8:3F:A6:F5:05:20:4E:94:56:31:EB:D3:82:E1:57:8C:
13:C1:14:1E:1A:E8:C9:A5:4C:A1:C1:38:BC:58:A1:55:
7E:EB:BE:EE:C9:56
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BF:F0:9E:39:39:21:F0:66:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4G:5D:26:5C:25:5D:C7:84
Timestamp : Jan 18 19:43:25.362 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:23:11:89:00:F6:1C:20:4F:D5:AD:9A:32:47:
09:06:25:5D:00:02:16:6B:4C:7F:9F:B5:33:80:DD:F1:
35:07:0C:9D:B0:02:21:00:DA:CD:F7:8D:13:BF:C2:F6:
0F:72:9F:D0:BD:9A:DB:B7:1A:85:8A:37:6C:7F:55:4C:
B6:AF:CC:1A:94:74:19:12
Signature Algorithm: sha256WithRSAEncryption
b0:76:72:b2:c4:68:3a:7c:64:96:24:a1:f3:f3:48:d8:82:ae:
a7:53:be:3e:2a:a7:b1:e0:ac:80:c0:fc:90:d3:fb:72:6f:13:
1d:d7:80:e0:4d:b0:7b:52:f8:1d:8e:43:dd:38:df:f4:a1:e5:
7a:88:33:21:0b:42:0d:86:ce:4b:95:36:b2:82:b1:12:e1:0f:
71:9e:dd:ca:aa:69:e4:ba:fa:d8:20:b9:51:88:28:68:03:21:
4f:f8:0a:3b:37:a4:be:c0:3a:a3:98:1c:e0:52:a6:42:02:6f:
43:3c:81:59:98:fc:cc:35:b1:d6:e8:59:d8:7b:9e:97:d5:c8:
18:55:97:b5:73:19:5e:ae:37:ad:b4:3b:f1:be:67:45:0c:c1:
4f:b3:53:78:dd:00:2b:be:c4:ba:a6:b0:de:9e:30:e6:e1:1d:
4d:80:88:54:f0:83:ce:df:ff:8f:ef:f9:0c:57:f5:6a:46:80:
c4:7e:f8:db:2a:09:44:25:e4:e9:b4:f2:68:66:d3:e0:4a:2c:
4b:57:44:84:98:da:d4:cc:dc:51:f9:b6:f4:91:26:06:77:d5:
d8:b2:f5:7f:8c:c0:2b:f3:0e:fd:52:6d:7d:e7:bd:aa:10:d6:
49:9a:d9:3d:e3:0c:53:5e:23:1b:37:ed:29:42:9d:ec:d9:52:
bb:77:66:ef