herpiko/pki.md

## pki.md

      
    Raw
  

              pki.md
            
          
    Membuat sertifikat self-signed

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
Melihat isi sertifikat

openssl x509 -in cert.pem -text
PEM dan DER

openssl x509 –outform der –in cert.pem –out cert.der
openssl x509 –inform der –in cert.der –out cert.pem
Encrypt (PKCS7 EnvelopedData)

openssl smime -encrypt -in hai.txt -outform pem -out encrypted.p7 cert.pem
Decrypt (PKCS7 EnvelopedData)

openssl smime -decrypt -inform pem -in encrypted.p7 -inkey key.pem
Sign (PKCS7 SignedData)

openssl smime -sign -nodetach -in hai.txt -out signed.p7 -outform pem -inkey key.pem -signer cert.pem
Verify (PKCS7 SignedData)

openssl smime -verify -in signed.p7 -inform pem -noverify
Verify sertifikat terhadap CA

openssl verify -CAfile cacert.pem builder.pem
openssl verify -CAfile cacert.pem taskinit.pem
openssl verify -CAfile lets-encrypt-x3-cross-signed.pem panduanblankonlinuxorid.cert
Certificate Authority

Persiapan Root CA


Persiapan,

rm -rf /tmp/ca || true && mkdir /tmp/ca && pushd /tmp/ca && mkdir certs crl newcerts private && touch index.txt.attr && echo 1000 > serial && popd


Unduh berkas konfigurasi untuk root CA,

wget https://gist.githubusercontent.com/herpiko/e949a99864014759cb29e9d42aa15301/raw/a5d7365860d4cc8a400faad5d1da8c172a78e5e6/openssl.cnf -O /tmp/ca/openssl.cnf

Membuat sertifikat Root CA


cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out private/ca.key.pem 4096
Buat cert dari pasangan kunci, openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Periksa, openssl x509 -noout -text -in certs/ca.cert.pem

Persiapan intermediate CA


Persiapan,

rm -rf /tmp/ca/intermediate && mkdir -p /tmp/ca/intermediate || true && pushd /tmp/ca/intermediate && mkdir certs crl csr newcerts private && touch index.txt.attr && echo 1000 > serial


Unduh berkas konfigurasi untuk intermediate CA,

wget https://gist.githubusercontent.com/herpiko/8064026087a87ed0a26fa26796d3059f/raw/c306ae6e985287ee9d1b37ef781c435dea562bf2/openssl.cnf -O /tmp/ca/intermediate/openssl.cnf

Membuat intermediate CA


cd /tmp/ca
Membuat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
Membuat CSR, openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
Tandatangani CSR dengan RootCA, openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
Periksa, openssl x509 -noout -text -in intermediate/\certs/intermediate.cert.pem

Membuat rantai sertifikat (Certificate Chain)


cd /tmp/ca
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > certs/ca.chain.pem

Certificate Revocation List


cd /tmp/ca
Persiapan, echo 1000 > /tmp/ca/intermediate/crlnumber && touch /tmp/ca/intermediate/index.txt.attr
Buat CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
Periksa CRL yang telah dibuat, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Buat rantai penuh, cat certs/ca.chain.pem intermediate/crl/intermediate.crl.pem > certs/crl.ca.chain.pem

Membuat sertifikat untuk Budi:


cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/budi.key.pem 2048
Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/budi.key.pem -new -sha256 -out intermediate/csr/budi.csr.pem
Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/budi.csr.pem -out intermediate/certs/budi.cert.pem
openssl x509 -noout -text -in intermediate/certs/budi.cert.pem
Verifikasi sertifikat Budi, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/budi.cert.pem

Membuat sertifikat untuk Asep:


cd /tmp/ca
Buat pasangan kunci, openssl genrsa -aes256 -out intermediate/private/asep.key.pem 2048
Buat CSR, openssl req -config intermediate/openssl.cnf -key intermediate/private/asep.key.pem -new -sha256 -out intermediate/csr/asep.csr.pem
Tandatangani dengan intermediate CA, openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/asep.csr.pem -out intermediate/certs/asep.cert.pem
openssl x509 -noout -text -in intermediate/certs/asep.cert.pem
Verifikasi sertifikat Asep, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/asep.cert.pem

Revoke sertifikat milik Budi


cd /tmp/ca
openssl ca -config intermediate/openssl.cnf -revoke intermediate/certs/budi.cert.pem
Generate ulang CRL, openssl ca -config intermediate/openssl.cnf -gencrl -out intermediate/crl/intermediate.crl.pem
Periksa lagi CRL yang telah dibuat, openssl crl -in intermediate/crl/intermediate.crl.pem -noout -text
Buat ulang rantai penuh, cat certs/ca.chain.pem intermediate/crl/intermediate.crl.pem > certs/crl.ca.chain.pem
Verifikasi sertifikat Budi, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/budi.cert.pem

Contoh sertifikat kadaluarsa


Geser waktu mesin ke tahun 2026
Verifikasi ulang sertifikat milik Asep, openssl verify -crl_check -CAfile certs/crl.ca.chain.pem intermediate/certs/asep.cert.pem

Tanda tangan digital pada PDF

TO BE WRITTEN
Reference


Kitab suci, https://tools.ietf.org/html/rfc5280
Kombinasi hasil verifikasi, https://gist.github.com/herpiko/8b63a213ebe418f4a7da95c141513e63
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html