pki-masceng

Membuat sertifikat self-signed

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem

Melihat isi sertifikat

openssl x509 -in cert.pem -text

PEM dan DER

openssl x509 –outform der –in cert.pem –out cert.der

openssl x509 –inform der –in cert.der –out cert.pem

Encrypt (PKCS7 EnvelopedData)

openssl smime -encrypt -in hai.txt -outform pem -out encrypted.p7 cert.pem

Decrypt (PKCS7 EnvelopedData)

openssl smime -decrypt -inform pem -in encrypted.p7 -inkey key.pem

Sign (PKCS7 SignedData)

openssl smime -sign -nodetach -in hai.txt -out signed.p7 -outform pem -inkey key.pem -signer cert.pem

Verify (PKCS7 SignedData)

openssl smime -verify -in signed.p7 -inform pem -noverify

Verify sertifikat terhadap CA

openssl verify -CAfile cacert.pem builder.pem

openssl verify -CAfile cacert.pem taskinit.pem

openssl verify -CAfile lets-encrypt-x3-cross-signed.pem panduanblankonlinuxorid.cert

Certificate Authority

Persiapan Root CA

Persiapan,

rm -rf /tmp/ca || true && mkdir /tmp/ca && pushd /tmp/ca && mkdir certs crl newcerts private && touch index.txt.attr && echo 1000 > serial && popd

Unduh berkas konfigurasi untuk root CA,

wget https://gist.githubusercontent.com/herpiko/e949a99864014759cb29e9d42aa15301/raw/a5d7365860d4cc8a400faad5d1da8c172a78e5e6/openssl.cnf -O /tmp/ca/openssl.cnf

Membuat sertifikat Root CA

cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out private/ca.key.pem 4096
Buat cert dari pasangan kunci, openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Periksa, openssl x509 -noout -text -in certs/ca.cert.pem

Persiapan intermediate CA

Persiapan,

rm -rf /tmp/ca/intermediate && mkdir -p /tmp/ca/intermediate || true && pushd /tmp/ca/intermediate && mkdir certs crl csr newcerts private && touch index.txt.attr && echo 1000 > serial

Unduh berkas konfigurasi untuk intermediate CA,

wget https://gist.githubusercontent.com/herpiko/8064026087a87ed0a26fa26796d3059f/raw/c306ae6e985287ee9d1b37ef781c435dea562bf2/openssl.cnf -O /tmp/ca/intermediate/openssl.cnf

Membuat intermediate CA

cd /tmp/ca
Membuat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
Membuat CSR, openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
Tandatangani CSR dengan RootCA, openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
Periksa, openssl x509 -noout -text -in intermediate/\certs/intermediate.cert.pem

Membuat rantai sertifikat (Certificate Chain)

cd /tmp/ca
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > certs/ca.chain.pem

Certificate Revocation List

cd /tmp/ca
Persiapan, echo 1000 > /tmp/ca/intermediate/crlnumber && touch /tmp/ca/intermediate/index.txt.attr
Buat CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
Periksa CRL yang telah dibuat, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Buat rantai penuh, cat certs/ca.chain.pem intermediate/crl/intermediate.crl.pem > certs/crl.ca.chain.pem

Membuat sertifikat untuk Budi:

cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/budi.key.pem 2048
Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/budi.key.pem -new -sha256 -out intermediate/csr/budi.csr.pem
Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/budi.csr.pem -out intermediate/certs/budi.cert.pem
openssl x509 -noout -text -in intermediate/certs/budi.cert.pem
Verifikasi sertifikat Budi, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/budi.cert.pem
Bungkus dalam P12, openssl pkcs12 -export -out intermediate/certs/budi.p12 -inkey intermediate/private/budi.key.pem -in intermediate/certs/budi.cert.pem

Membuat sertifikat untuk Asep:

cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/asep.key.pem 2048
Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/asep.key.pem -new -sha256 -out intermediate/csr/asep.csr.pem
Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/asep.csr.pem -out intermediate/certs/asep.cert.pem
openssl x509 -noout -text -in intermediate/certs/asep.cert.pem
Verifikasi sertifikat Asep, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/asep.cert.pem
Bungkus dalam P12, openssl pkcs12 -export -out intermediate/certs/asep.p12 -inkey intermediate/private/asep.key.pem -in intermediate/certs/asep.cert.pem

Revoke sertifikat milik Budi

cd /tmp/ca
openssl ca -config intermediate/openssl.cnf -revoke intermediate/certs/budi.cert.pem
Generate ulang CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
Periksa lagi CRL yang telah dibuat, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Buat ulang rantai penuh, cat certs/ca.chain.pem intermediate/crl/intermediate.crl.pem > certs/crl.ca.chain.pem
Verifikasi sertifikat Budi, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/budi.cert.pem

Contoh sertifikat kadaluarsa

Geser waktu mesin ke tahun 2026
Verifikasi ulang sertifikat milik Asep, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/asep.cert.pem

Tanda tangan digital pada PDF

https://github.com/herpiko/pkiwebsdk-pdfsigner-playground

herpiko/pki-draft-for-masceng.md