|<B>Parsing a certificate and displaying the detailsB>||
openssl x509 -noout -text -in cert.pem
or at an even lower level, using dumpasn1:
|<B>Getting the modulus (unique public key identifier) of a certificate or private keyB>||
If both match, then the private key and certificate correspond to each
|<B>Generating a self-signed certificate and matching private key for testsB>||
openssl req -x509 -nodes -new -newkey 1024 -keyout key.pem -out cert.pem
The resulting key.pem and cert.pem files can be used directly for a network server, or to build a toy CA.
|<B>Building a toy CAB>||
Under distros that sport a cooperative openssl.cnf: this was tested
on Ubuntu Edgy, your mileage may vary.
Any serious work towards contributing to Crypt::OpenSSL::CA requires promiscuity with OpenSSLs code base. I suggest reading and understanding demos/mkcert.c and apps/ca.c first, comparing and contrasting with the XS code in Crypt::OpenSSL::CA which does roughly the same thing in a simpler and more modular way. Seasoned programmers will find the OpenSSL man pages of some limited help, and the command grep -r some_identifier /usr/include/openssl to come in handy more often than not.
There is a succint overview of OpenSSLs whole API in a file named doc/openssl.txt, to be found either in OpenSSLs source or possibly in the documentation directory of your distributions openssl package (YMMV).
A tool to debug ASN.1 in Crypt::OpenSSL::CA::AlphabetSoup data structures, more fault-tolerant than the openssl asn1parse command (see OpenSSL). Available on Peter Gutmanns site and as a Debian package.
<http://www.cs.auckland.ac.nz/~pgut001/> contains more crypto- and security-related stuff, and is always a pleasure to waste office time reading from.
<http://www.alvestrand.no/objectid/> and <http://oid.elibel.tm.fr/> are both databases of OID in Crypt::OpenSSL::CA::AlphabetSoups that together contain pretty much all OIDs known to mankind. The latter sports a search engine.
The RFCs and other standards describing PKIX (the X509 PKI) are, in suggested reading order:
<B>RFC4210B> Basics, security model, definition of the entities (EE, RA, CA), format of messages between these entities (that nobody in his right mind would bother to implement in this contrived way). <B>RFC4514B> Distinguished Names (DN in Crypt::OpenSSL::CA::AlphabetSoup) <B>RFC3280B> Certificate and CRL formats, extensions in certificates, certificate validation algorithm. <B>RFC3279B> How one should set the keyUsage bits in an X509 certificate. <B>PKCS10B> Certificate request file format - One of the most popular ones (the great thing about standards, as the saying goes, is that there are so many to choose from...) <B>SPKACB> The other certificate request file format of importance to an Internet PKIX deployment (<http://wp.netscape.com/eng/security/ca-interface.html>). Used by all browsers of the Netscape family. <http://wp.netscape.com/eng/security/comm4-cert-exts.html> The specification of the Netscape certificate type X509v3 extension. Mostly obsolete, but it does make your certificates all that more christmas-treeish. <B>PKCS12B> A transport and backup format for X509 key material. Allows for bundling a users certificate, its matching private key (password-protected), and the chain of CA certificates and CRLs that certify the users certificate, all into a single binary blob. <B>RFC2560B> OCSP in Crypt::OpenSSL::CA::AlphabetSoup <B>RFC3739B> Qualified certificates.
|perl v5.20.3||CRYPT::OPENSSL::CA::RESOURCES (3)||2016-04-03|