Guide to generate private/public keys and verify certificates

FIPS partially-based guide.txt

Generate public/private key using FIPS 186-4, and FIPS 180-4. Using:
-   Accepted hash function (i.e. SHA512)
-   RSA with 2048 bits
-   Strong private key password.
-   Valid Certificate issued by a valid CA.

env OPENSSL_FIPS=1 openssl genrsa -aes128 -passout pass:<password> -out private.pem 2048
env OPENSSL_FIPS=1 openssl rsa -in private.pem -passin pass:<password> -pubout -out public.pem

    > Generated Files: private.pem, public.pem

env OPENSSL_FIPS=1 openssl rsa -in private.pem -check
env OPENSSL_FIPS=1 openssl rsa -noout -modulus -in private.pem | openssl md5

> Confirm encryption used for Private Key
env OPENSSL_FIPS=1 openssl asn1parse -in private.pem | grep OBJECT
> or use
> cat private.pem | grep DEK-Info
> If the file has the DEK-info on it in plain text.

env OPENSSL_FIPS=1 openssl req -out csr.csr -key private.pem -new
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:California
    Locality Name (eg, city) []:San Diego
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:TEST COMPANY LLC
    Organizational Unit Name (eg, section) []:Software Development
    Common Name (e.g. server FQDN or YOUR name) []:TEST COMPANY LLC
    Email Address []:[email protected]

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:TEST COMPANY LLC

    > Generated File: csr.csr

env OPENSSL_FIPS=1 openssl req -text -noout -verify -in csr.csr

    > Proceed to Request a certificate

        > Example self-signed certificate using CSR and Existing Private Key:
        env OPENSSL_FIPS=1 openssl x509 -in csr.csr -out self-signed-certificate.pem -req -signkey private.pem -days 365

    > Once the certificate is available, proceed to check it:

env OPENSSL_FIPS=1 openssl x509 -noout -modulus -in certificate.pem | openssl md5

    > If needed, to get the pure non=-encrypted private key, use
    env OPENSSL_FIPS=1 openssl rsa -in private.pem -out key.pem

> To verify a physical certificate, there are many options:
    
    > Using OCSP (Online Certificate Status Protocol):

        > Get the intermediate / issuer certificate(s) URL. Download it using wget or curl. Not all certificates have this URL available.
        env OPENSSL_FIPS=1 openssl x509 -in certificate.pem -text | grep "CA Issuers"

        > Make sure the intermedioate certificate is in PEM format. You can convert it like this:
        openssl x509 -inform der -in issuer.crt -out issuer.pem

        > Get the OCSP URI and dates for the certificate
        env OPENSSL_FIPS=1 openssl x509 -dates -ocsp_uri -noout -in certificate.pem

        > Using the found OCSP URL, validate the certificate, taking into account the issuer certificate.
        env OPENSSL_FIPS=1 openssl ocsp -no_nonce -issuer issuer.pem -cert certificate.pem -url http://ocsp.theurloftheocsp.com -VAfile issuer.pem

    > Using CRL (Certificate Revocation List):

        > Get the CRL for the certificate. There may be many, or none. Download the CRL file(s) using CURL or WGET.
        env OPENSSL_FIPS=1 openssl x509 -in certificate.pem -noout -text | grep crl

        > Find the Serial number of the certificate to check
        env OPENSSL_FIPS=1 openssl x509 -in certificate.pem -noout -serial

        > Check if the serial number is INSIDE any of the downloaded CRL files. If GREP returns output, it means the serial number was found in the revocation list.
        env OPENSSL_FIPS=1 openssl crl -inform DER -text -in crlfile.crl | grep AABBD6CF7E84F8E11AA7710D48818DD7