How to generate a proof of possesion for a X509 certificate using OpenSSL?

Question

I need to generate a proof of possession, signing a verification code with my private key.

I did not find a question related to this, here in Stack Overflow, and I am not finding some reference on Internet. I am following this tutorial, but I want to use OpenSSL.

My verification code is related to a X509 certificate, like this:

7A69A4702DA903A41C3A5BC5575A8E3F49BEC5E5BA2D4CE1

I just do not want to use the script mentioned in the tutorial and I want to learn how to do this with OpenSSL, @Crypt32 . By the way, the tutorial says the script is based on OpenSSL. =) — Dalton Cézane, May 14 '18 at 19:00
Another reason, @Crypt32 , is that I am using Ubuntu. So, I want to do this using openssl (terminal). — Dalton Cézane, May 14 '18 at 19:56
Ah, ok. Didn't see that example is based on OpenSSL (weird). — Crypt32, May 14 '18 at 19:58

Dalton Cézane · Accepted Answer · 2019-05-21T13:21:45.520

9

I got the answer with the Azure support team.

I already had my root key and X509 cert, generated with the following command:

openssl req -x509 -newkey rsa:2048 -keyout root_private.pem -nodes -out root_cert.pem

Then, I needed to generate the verification cert...

Create verification key:

openssl genrsa -out verification.key 2048

Create the verification cert:

openssl req -new -key verification.key -out verification.csr

When creating the verification cert, I need to specify the verification code obtained (7A69A4702DA903A41C3A5BC5575A8E3F49BEC5E5BA2D4CE1) as the "Common Name" certificate field.

Now, just create the proof of possession certificate with the following command:

openssl x509 -req -in verification.csr -CA root_cert.pem -CAkey root_private.pem -CAcreateserial -out verificationCert.pem -days 1024 -sha256

If I am not wrong, this last command signs the verification.csr, that has the verification code as the Common Name, with the root private key. At the end, the verificationCert.pem can be used as the proof of possession.

edited May 21 '19 at 13:21

answered May 17 '18 at 17:24

Dalton Cézane

3,672
2
35
60

When i specify CN with some UUID, it automatically add "\x16" behind of CN such as "CN=\x16234234234234234". Do you have any idea? – nolines Feb 19 '19 at 07:34
2

@nolines , as you can see [here](http://condor.depaul.edu/sjost/lsp121/documents/ascii-npr.htm), `\x16` is the ASCII hex representation for the control character `^V`. I suspect you are using `CTRL+V` to paste your UUID. Try to use another method to input the code or type it manually. – Dalton Cézane Feb 19 '19 at 19:19
openssl x509 -req -in verification.csr -CA root_cert.pem -CAkey root_private.pem -CAcreateserial -out verificationCert.pem -days 1024 -sha256 Changed from -verification.csr to verification.csr – Ravikiran Reddy Kotapati Apr 23 '19 at 00:31

How to generate a proof of possesion for a X509 certificate using OpenSSL?

1 Answers1

Linked