Development¶
Setup demo¶
You can set up a demo using dev.py init-demo
. First create a minimal
localsettings.py
file (in ca/ca/localsettings.py
):
DEBUG = True
SECRET_KEY = "whatever"
And then simply run python dev.py init-demo
from the root directory of your project.
Development web server via SSL¶
To test a certificate in your web server, first install stunnel4, in Debian/Ubuntu simply do:
$ sudo apt update
$ sudo apt install stunnel4
the root certificate authority in your browser, then run stunnel4
and manage.py runserver
in two
separate shells:
$ stunnel4 .stunnel4.conf
There is also a second configuration file using a revoked certificate. If you use it, browsers will display an error:
$ stunnel4 .stunnel4-revoked.conf
You can now start your development web server normally:
$ DJANGO_SETTINGS_MODULE=ca.demosettings python manage.py runserver
… and visit https://localhost:8443.
Run test-suite¶
To run the test-suite, simply execute:
$ python dev.py test
… or just run some of the tests:
$ python dev.py test --suite=tests_command_dump_crl
To generate a coverage report:
$ python dev.py coverage
Useful OpenSSL commands¶
Verification¶
Verify a certificate signed by a root CA (cert.crt
could also be an intermediate CA):
$ openssl verify -CAfile ca.crt cert.crt
If you have an intermediate CA:
$ cat child.pem root.pem > cafile.pem
$ openssl verify -CAfile cafile.pem cert.crt
Verify that a certificate belongs to a certain private key by matching the checksum:
$ openssl x509 -noout -modulus -in cert.pem | openssl sha1
$ openssl rsa -noout -modulus -in cert.key | openssl sha1
CRLs¶
Convert a CRL to text on stdout:
$ openssl crl -inform der -in crl.der -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Intermediate CA
Last Update: Dec 28 14:10:04 2020 GMT
Next Update: Dec 29 14:10:04 2020 GMT
...
$ openssl crl -inform pem -in crl.pem -noout -text
...
Convert a CRL to PEM to a file:
$ openssl crl -inform der -in crl.der -outform pem -out crl.pem
Verify a certificate using a CRL (requires CRL in PEM format):
$ openssl verify -CAfile cabundle.pem -crl_check -CRLfile crl.pem cert.pem
cert.pem: OK
Verify CRL by automatically downloading the CRL:
$ openssl verify -CAfile cabundle.pem -crl_check -crl_download cert.pem
cert.pem: OK
OCSP¶
Get the OCSP responder URL from the certificate (openssl cannot get it from the cert like with
verify -crl_download
):
$ openssl x509 -in cert.pem -noout -text | grep -i ocsp
OCSP - URI:http://ca.example.com/django_ca/ocsp/4E9D186B93AB38FBB8FA36BE4AC28098A1AA2647/cert/
Verify a certificate using OCSP:
$ openssl ocsp -CAfile root.pem -issuer child.pem -cert cert.pem \
> -url http://... -text
...
Response verify OK
cert.pem: good
This Update: Dec 28 14:34:28 2020 GMT
Next Update: Dec 28 15:34:28 2020 GMT
For Let’s Encrypt, the following command can be used, with full-chain.pem
being the full certificate
chain, intermediate.pem
being the cert that directly signed the certificate and cert.pem
being the
server certificate:
$ openssl ocsp -CAfile full-chain.pem -issuer intermediate.pem -cert cert.pem -url http://r3.o.lencr.org/ \
> -resp_text -req_text -no_nonce
Conversion¶
Convert a PEM formatted public key to DER:
$ openssl x509 -in pub.pem -outform der -out pub.der
Convert a PEM formatted private key to DER:
$ openssl rsa -in priv.pem -outform der -out priv.der
Convert a PKCS#7 file to PEM (Let’s Encrypt CA Issuer field) (see also pkcs7.1ssl):
$ openssl pkcs7 -inform der -in letsencrypt.p7c -print_certs -outform pem -out letsencrypt.pem