Difference between revisions of "FAQ Using TSslCertTools"
m |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | The TSslCertTools component is designed to create, read, save and validate X509 SSL/TLS certificates, | ||
+ | private keys, certificate signing requests and bundle files. | ||
+ | |||
The main test application for the TSslCertTools component is the OverbyteIcsPemtool sample, | The main test application for the TSslCertTools component is the OverbyteIcsPemtool sample, | ||
− | which illustrates use of all the methods and properties. | + | which illustrates use of all the methods and properties. |
+ | OverbyteIcsPemtool may be used to create the private key and certificate request needed to buy a commercial SSL certificate from a public | ||
+ | certificate authority. Once the new SSL certificate has been received from the CA, usually as a PEM file or email, it may be converted | ||
+ | into other formats and saved as a single PEM or PKS12 bundle with the original private key making it easier to distribute and install on servers. | ||
== ICS Cryptography Types == | == ICS Cryptography Types == | ||
Line 27: | Line 33: | ||
Creating new RSA keys is computationally expensive, 4,096 bits a couple of seconds, 7,680 bits maybe a minute, 15,360 bit takes hours. Note RSA PSS keys need OpenSSL 1.1.1 or later. | Creating new RSA keys is computationally expensive, 4,096 bits a couple of seconds, 7,680 bits maybe a minute, 15,360 bit takes hours. Note RSA PSS keys need OpenSSL 1.1.1 or later. | ||
− | + | TSslPrivKeyType = ( | |
− | + | PrivKeyRsa1024, { level 1 - 80 bits } | |
− | + | PrivKeyRsa2048, { level 2 - 112 bits } | |
− | + | PrivKeyRsa3072, { level 3 - 128 bits } | |
− | + | PrivKeyRsa4096, { level 3 - 128 bits } | |
− | + | PrivKeyRsa7680, { level 4 - 192 bits } | |
− | + | PrivKeyRsa15360, { level 5 - 256 bits } | |
− | + | PrivKeyECsecp256, { level 3 - 128 bits } | |
− | + | PrivKeyECsecp384, { level 4 - 192 bits } | |
− | + | PrivKeyECsecp512, { level 5 - 256 bits } | |
− | + | PrivKeyEd25519, { level 3 - 128 bits } | |
− | + | PrivKeyRsaPss2048, { level 2 - 112 bits } | |
− | + | PrivKeyRsaPss3072, { level 3 - 128 bits } | |
− | + | PrivKeyRsaPss4096, { level 3 - 128 bits } | |
− | + | PrivKeyRsaPss7680, { level 4 - 192 bits } | |
− | + | PrivKeyRsaPss15360); { level 5 - 256 bits } | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | ICS private key file encryption types: | ||
+ | TSslPrivKeyCipher = ( | ||
+ | PrivKeyEncNone, | ||
+ | PrivKeyEncTripleDES, | ||
+ | PrivKeyEncIDEA, | ||
+ | PrivKeyEncAES128, | ||
+ | PrivKeyEncAES192, | ||
+ | PrivKeyEncAES256, | ||
+ | PrivKeyEncBlowfish128); | ||
== Create a new private key file == | == Create a new private key file == | ||
Line 70: | Line 74: | ||
# Optionally save public key to file using PublicKeySaveToPemFile method. | # Optionally save public key to file using PublicKeySaveToPemFile method. | ||
+ | == Create a new certificate signing request from properties == | ||
− | + | A certificate signing request (CSR) is needed to buy a commercial SSL certificate from a public | |
− | + | certificate authority and most importantly specifies the host domain name or names of the | |
− | A certificate request is needed to buy a commercial SSL certificate from a public | ||
− | certificate authority and most importantly specifies the host domain name of the | ||
public SSL server it will secure. | public SSL server it will secure. | ||
Line 84: | Line 87: | ||
# Optionally save request to string using SaveReqToText method. | # Optionally save request to string using SaveReqToText method. | ||
− | + | == Create a new certificate signing request from old certificate == | |
− | == Create a new certificate request from old certificate == | ||
This is a shorter way to create a new request when renewing an existing certificate with the same private key. | This is a shorter way to create a new request when renewing an existing certificate with the same private key. | ||
Line 95: | Line 97: | ||
# Save request to PEM file using SaveReqToFile method. | # Save request to PEM file using SaveReqToFile method. | ||
# Optionally save request to string using SaveReqToText method. | # Optionally save request to string using SaveReqToText method. | ||
− | |||
== Create new self signed certificate from properties == | == Create new self signed certificate from properties == | ||
Line 113: | Line 114: | ||
# Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. | # Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. | ||
# Optionally save certificate to string using SaveCertToText method. | # Optionally save certificate to string using SaveCertToText method. | ||
− | |||
== Create new CA signed certificate from certificate request == | == Create new CA signed certificate from certificate request == | ||
Line 139: | Line 139: | ||
may be incorrectly saved. | may be incorrectly saved. | ||
+ | The TSslX509Certs component includes an Own CA Order Process which create new CA signed certificate | ||
+ | with fewer steps, and saves details of certificates created to database, to support | ||
+ | transparency and certificate revocation lists. | ||
+ | |||
+ | == Convert certificate from one file format to another == | ||
+ | |||
+ | # Load existing certificate using LoadFromFile or LoadFromText methods. | ||
+ | # Optionally load private key for existing certificate using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods. | ||
+ | # If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher. | ||
+ | # Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. | ||
− | + | One use for this is to convert base64 DER/PEM certificates into P12/PVX format that can be easily installed into the Windows certificate store. | |
− | |||
− | |||
− | + | == Create New DHParams File == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | DHParams contain prime numbers needed to support old DH and DHE ciphers (but not | |
− | |||
− | DHParams contain prime numbers needed to support DH and DHE ciphers (but not | ||
ECDH and ECDHE). Ideally they should be unique per server and/or application | ECDH and ECDHE). Ideally they should be unique per server and/or application | ||
and some applications even generate new params each day. But finding prime | and some applications even generate new params each day. But finding prime | ||
numbers is time consuming, the shortest 1,024 bits can take up a minute, 2,048 | numbers is time consuming, the shortest 1,024 bits can take up a minute, 2,048 | ||
bits several minutes, 4,096 bits a few hours, and gave up with 8,192 bits after | bits several minutes, 4,096 bits a few hours, and gave up with 8,192 bits after | ||
− | two days. ICS include constants sslDHParams2048 and sslDHParams4096 to save | + | two days. |
− | you calculating your own. | + | |
− | + | ICS include constants sslDHParams2048 and sslDHParams4096 to save | |
− | optionally a progress indicator so the application remains responsive while | + | you calculating your own, if you really need to use old DH and DHE ciphers. |
− | calculating DHParams. | + | |
− | + | # Assign OnKeyProgress event handler with Application.ProcessMessages and optionally a progress indicator so the application remains responsive while calculating DHParams. | |
− | bits, 768, 1024, 20248, 4096, 8192. | + | # Create DHParams using DoDHParams method passing new file name and number of bits, 768, 1024, 20248, 4096, 8192. |
− | + | # Optionally save DHParams string returned by DoDHParams method. | |
+ | |||
+ | == Create Certificate Bundle == | ||
− | |||
− | |||
Builds a new PEM or PKCS12 file by combining certificate, private key and | Builds a new PEM or PKCS12 file by combining certificate, private key and | ||
intermediate files (in any formats with correct file extension). For servers, | intermediate files (in any formats with correct file extension). For servers, | ||
a bundle file is easier to distribute and load than three separate files. | a bundle file is easier to distribute and load than three separate files. | ||
− | + | ||
− | for the three input files and output file, optional load and save passwords, | + | # CreateCertBundle is a simple function, that requires four full file names for the three input files and output file, optional load and save passwords, and the cipher optionally to encrypt the output file. |
− | and the cipher optionally to encrypt the output file. |
Latest revision as of 17:06, 15 November 2018
The TSslCertTools component is designed to create, read, save and validate X509 SSL/TLS certificates, private keys, certificate signing requests and bundle files.
The main test application for the TSslCertTools component is the OverbyteIcsPemtool sample, which illustrates use of all the methods and properties.
OverbyteIcsPemtool may be used to create the private key and certificate request needed to buy a commercial SSL certificate from a public certificate authority. Once the new SSL certificate has been received from the CA, usually as a PEM file or email, it may be converted into other formats and saved as a single PEM or PKS12 bundle with the original private key making it easier to distribute and install on servers.
Contents
- 1 ICS Cryptography Types
- 2 Create a new private key file
- 3 Create a new certificate signing request from properties
- 4 Create a new certificate signing request from old certificate
- 5 Create new self signed certificate from properties
- 6 Create new CA signed certificate from certificate request
- 7 Convert certificate from one file format to another
- 8 Create New DHParams File
- 9 Create Certificate Bundle
ICS Cryptography Types
ICS message digests or hashes types, note SHA3 and Shake needed OpenSSL 1.1.1 or later:
TEvpDigest = ( Digest_md5, Digest_mdc2, Digest_sha1, Digest_sha224, Digest_sha256, Digest_sha384, Digest_sha512, Digest_ripemd160, Digest_sha3_224, Digest_sha3_256, Digest_sha3_384, Digest_sha3_512, Digest_shake128, Digest_shake256, Digest_None);
ICS private key algorithm and key length in bits types, bracketed comment is security level and effective bits, beware long RSA key lengths increase SSL overhead heavily. Creating new RSA keys is computationally expensive, 4,096 bits a couple of seconds, 7,680 bits maybe a minute, 15,360 bit takes hours. Note RSA PSS keys need OpenSSL 1.1.1 or later.
TSslPrivKeyType = ( PrivKeyRsa1024, { level 1 - 80 bits } PrivKeyRsa2048, { level 2 - 112 bits } PrivKeyRsa3072, { level 3 - 128 bits } PrivKeyRsa4096, { level 3 - 128 bits } PrivKeyRsa7680, { level 4 - 192 bits } PrivKeyRsa15360, { level 5 - 256 bits } PrivKeyECsecp256, { level 3 - 128 bits } PrivKeyECsecp384, { level 4 - 192 bits } PrivKeyECsecp512, { level 5 - 256 bits } PrivKeyEd25519, { level 3 - 128 bits } PrivKeyRsaPss2048, { level 2 - 112 bits } PrivKeyRsaPss3072, { level 3 - 128 bits } PrivKeyRsaPss4096, { level 3 - 128 bits } PrivKeyRsaPss7680, { level 4 - 192 bits } PrivKeyRsaPss15360); { level 5 - 256 bits }
ICS private key file encryption types:
TSslPrivKeyCipher = ( PrivKeyEncNone, PrivKeyEncTripleDES, PrivKeyEncIDEA, PrivKeyEncAES128, PrivKeyEncAES192, PrivKeyEncAES256, PrivKeyEncBlowfish128);
Create a new private key file
A private key is required to create a self signed certificate or a certificate request, and needs to be installed on any SSL servers (never distribute it).
- Set property PrivKeyType (RSA or EC) from TSslPrivKeyType.
- Create keys using DoKeyPair method checking exception for any errors.
- PrivateKey property contains pointer to new private key.
- If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher.
- Save private key to file using PrivateKeySaveToPemFile method with optional password.
- Optionally save public key to file using PublicKeySaveToPemFile method.
Create a new certificate signing request from properties
A certificate signing request (CSR) is needed to buy a commercial SSL certificate from a public certificate authority and most importantly specifies the host domain name or names of the public SSL server it will secure.
- Create a new private key (see above) or load an old key using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods.
- Specify request properties, CommonName (host domain name), Country, State, Locality, Organization, OrgUnit, KeyDigiSign, KeyKeyEnc, etc, as needed.
- Create request using DoCertReqProps method checking exception for any errors.
- X509Req property contains pointer to new request.
- Save request to PEM file using SaveReqToFile method.
- Optionally save request to string using SaveReqToText method.
Create a new certificate signing request from old certificate
This is a shorter way to create a new request when renewing an existing certificate with the same private key.
- Load existing certificate using LoadFromFile or LoadFromText methods.
- Load private key for existing certificate using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods.
- Create request using DoCertReqOld method checking exception for any errors.
- X509Req property contains pointer to new request.
- Save request to PEM file using SaveReqToFile method.
- Optionally save request to string using SaveReqToText method.
Create new self signed certificate from properties
Self signed certificates are mostly used for testing SSL applications on temporary servers, prior to final deployment to a public server with a commercial SSL certificate. Can also used for internal networks. May also be used to create your own CA certificate if you want to sign your own certificates.
- Create a new private key (see above) or load an old key using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods.
- Specify certificate properties, CommonName (host domain name), Country, State, Locality, Organization, OrgUnit, KeyDigiSign, KeyKeyEnc, etc, as needed.
- Select CertDigest (hash) property from TEvpDigest.
- Create certificate using DoSelfSignCert method checking exception for any errors.
- X509 property contains pointer to new certificate.
- If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher.
- Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password.
- Optionally save certificate to string using SaveCertToText method.
Create new CA signed certificate from certificate request
This is how commercial certificate authorities create SSL certificates from a request, signing it with their own CA certificate (root or intermediate) that will be trusted by Windows due to the root already being installed locally. For development, you can create your own CA root certificate and install it in the Windows certificate store of any test computers, then create certificates signed by the root and they will be trusted by Windows without needing to accept security exceptions as happens with self signed certificates.
- The CA certificate and CA private key need to loaded using LoadFromFile and PrivateKeyLoadFromPemFile into X509 and PrivateKey, and these properties assigned to X509CA and PrivKeyCA respectively.
- Load certificate request using LoadReqFromFile.
- Currently the subject certificate properties are taken from the request and can not be edited, extended properties are currently taken from properties, KeyDigiSign, KeyKeyEnc, etc, as needed. This needs more work for flexibility.
- Select CertDigest (hash) property from TEvpDigest.
- Create certificate using DoSignCertReq method checking exception for any errors.
- X509 property contains pointer to new certificate.
- If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher.
- Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password.
- Optionally save certificate to string using SaveCertToText method.
Beware the private key used to create the request must be loaded into PrivateKey property before saving a private key with the certificate, otherwise the CA key may be incorrectly saved.
The TSslX509Certs component includes an Own CA Order Process which create new CA signed certificate with fewer steps, and saves details of certificates created to database, to support transparency and certificate revocation lists.
Convert certificate from one file format to another
- Load existing certificate using LoadFromFile or LoadFromText methods.
- Optionally load private key for existing certificate using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods.
- If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher.
- Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password.
One use for this is to convert base64 DER/PEM certificates into P12/PVX format that can be easily installed into the Windows certificate store.
Create New DHParams File
DHParams contain prime numbers needed to support old DH and DHE ciphers (but not ECDH and ECDHE). Ideally they should be unique per server and/or application and some applications even generate new params each day. But finding prime numbers is time consuming, the shortest 1,024 bits can take up a minute, 2,048 bits several minutes, 4,096 bits a few hours, and gave up with 8,192 bits after two days.
ICS include constants sslDHParams2048 and sslDHParams4096 to save you calculating your own, if you really need to use old DH and DHE ciphers.
- Assign OnKeyProgress event handler with Application.ProcessMessages and optionally a progress indicator so the application remains responsive while calculating DHParams.
- Create DHParams using DoDHParams method passing new file name and number of bits, 768, 1024, 20248, 4096, 8192.
- Optionally save DHParams string returned by DoDHParams method.
Create Certificate Bundle
Builds a new PEM or PKCS12 file by combining certificate, private key and intermediate files (in any formats with correct file extension). For servers, a bundle file is easier to distribute and load than three separate files.
- CreateCertBundle is a simple function, that requires four full file names for the three input files and output file, optional load and save passwords, and the cipher optionally to encrypt the output file.