OpenSSL

 
 
The OpenSSL Project has developed a open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security TLS (v1) protocols as well as a full-strength general purpose cryptography library.

OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

The OpenSSL toolkit can be used to generate the keys that a web server (e.g. Apache) needs to encrypt the data sent between the client (browser) and the web server.
A simple overview of this process can be found here below:
  • A client browser connects to the Apache HTTP server via a Web request.

  • The browser asks to start a secure session with the server.

  • The server returns the site's certificate (= mobilefish.com_cert.pem) which also includes the server public key.

  • The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).

  • The browser creates a session key, which is encrypted with the server's public key, which is then sent to the server. This public or asymmetric key is generally 1024 bits. Much stronger public keys of 2048 bits could be provided but, perhaps for performance reasons, these are not in general use.

  • The server then decrypts this information using its private key (mobilefish.com_key.pem).

  • Both the browser and the server now are using the same session key. This is a symmetric key used to encrypt and decrypt data exchanged by the browser and server. Browsers and servers usually negotiate the strongest mutually supported session. This means that if the user's browser and your Web server both support 128-bit SSL sessions, a 128-bit session is established. If the user's browser only supports 40-bit SSL sessions, then a 40-bit session is established even if your Web server supports 128-bit sessions.

More information about the OpenSSL Project can be found at:
http://www.openssl.org

The latest OpenSSL version (no binary distributions) can be downloaded from:
http://www.openssl.org/source/

Links to OpenSSL binary distributions can be found at:
http://www.openssl.org/related/binaries.html







Encoding



BER

BER (Basic Encoding Rules) is an encoding rule which can be used for certificates and keys.

This encoding rule describes how the values defined in ASN.1 should be encoded for transmission, regardless of machine, programming language, or how it is represented in an application program.



DER

Distinguished Encoding Rules (DER) is an encoding rule which can be used for private keys, public keys and certificates.

It is the default format for most browsers, and is stored according to the ASN.1 DER format. It is headerless - PEM is text header wrapped DER.

A DER (.der) format file contains binary data which is non readable.



PEM

Is is an IETF standard to provide data confidentiality, data integrity, and data origin authentication for electronic mail.

PEM encrypts messages with DES in CBC mode, provides key distribution of DES keys by encrypting them with RSA, and signs messages with RSA over either MD2 or MD5. To establish ownership of public keys, PEM uses a certification hierarchy, with X.509 public-key certificates and X.509 CRLs that are signed with RSA and MD2.

PEM is designed to be compatible with a wide range of key management methods, but is limited to specifying security services only for text messages and has not been widely implemented in the Internet.

In short PEM can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It stores data Base64 encoded DER format, surrounded by ASCII headers, so is suitable for text mode transfers between systems.

A PEM(.pem) format file contains ASCII data (= base64 PEM encoding ).

A PEM - .pem format digital certificate begins and ends with the following lines, respectively:

-----BEGIN CERTIFICATE-----
:
-----END CERTIFICATE-----


A PEM - .pem format private key file begins and ends with the following lines, respectively:

-----BEGIN ENCRYPTED PRIVATE KEY-----
:
-----END ENCRYPTED PRIVATE KEY-----






PKCS#12

Public Key Cryptography Standards #12 (PKCS#12) can contain all private keys, public keys, and certificates. It stores in a binary format, and is also known as PFX files.

Browsers usually requires this format to load certificates.



Cerfificate formats

For certificates, the available formats are PEM, DER and PKCS12 with file names of the following type:
  • cert.pem (PEM)

  • cert.der (DER)

  • cert.p12 (PKCS12)


X.509

X.509 is a standard specifying the contents of a digital certificates.
A certificate is a document, issued by a trusted agent, stating that the public key of the person named in the document has a certain value. You are most likely to encounter certificates when you use a web browser. The ITU-T X.509 Recommendation specifies a certificate using ASN.1 and encodes it using DER.

For more information, see: http://asn1.elibel.tm.fr/en/biblio/etsi-M_COMM-Domain_certificate_chains-07072001.htm



Private key formats

Private keys are usually available in the PEM and DER format.
The related files have names of the following type:
  • key.pem (PEM)

  • key.der (DER)
Note: For Java applications, the DER format might be more suitable for importing the private key and certificates.