Creating a self-signed Certificate with “trustchk -k”

Under Construction

Working with AIX > AIX Security > Trusted Execution (TE) > Trusted Signature Database (TSD) > Adding TSD Entries > Files whose Content should be monitored

Creating a self-signed Certificate with “trustchk -k”

The easiest way to generate a private key and an associated certificate file is to use trustchk with the “-k” option. The “-s” (signing key) option specifies the location for the private key, and the “-v” (verification certificate) option specifies the location for the self-signed certificate:

# trustchk -k -s privkey_pwrcmps -v cert_pwrcmps
Enter the passphrase to protect key file: XXXXXXXX
#

By default, a passphrase must be assigned to protect the private key file. However, it is also possible to generate a private key without a passphrase by specifying the “-N” (no passphrase) option:

# trustchk -k -s privkey_pwrcmps -v cert_pwrcmps -N
#

The private key and certificate are stored in the locations specified by “-s” and “-v”:

$ ls -l
total 16
-rwsr-xr--    1 root     system          454 Mar 24 18:14 cert_pwrcmps*
-rwsr-x--x    1 root     system          636 Mar 24 18:14 privkey_pwrcmps*
$

Note: We strongly recommend using a passphrase! If an attacker finds a private key file, it cannot be used without the passphrase.

The certificate can be displayed using the OpenSSL x509 command:

# openssl x509 -noout -text -in cert_pwrcmps
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1650681394 (0x62636632)
        Signature Algorithm: rsaEncryption
        Issuer: OU = root, OU = aixe03
        Validity
            Not Before: May  8 00:00:00 2006 GMT
            Not After : May  8 00:00:00 2016 GMT
        Subject: OU = root, OU = aixe03
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a2:0e:17:99:e7:ed:dc:ef:72:83:db:b4:e2:9f:
                    48:7e:72:fe:e2:d0:1f:8e:3b:66:cc:01:5a:b0:74:
                    e8:19:39:04:7c:08:7f:36:df:71:a4:75:f9:a9:22:
                    ce:9f:89:70:a2:46:c2:61:49:ce:0b:63:49:f8:c8:
                    4a:e1:fd:43:de:1b:22:f9:c6:50:44:45:c6:29:57:
                    7d:d7:10:f1:5c:f9:1b:4c:74:67:38:6d:26:81:96:
                    dc:01:41:eb:68:13:16:21:88:64:de:f2:52:a6:7e:
                    df:61:27:00:a0:9c:76:cc:e3:40:2a:45:61:61:4a:
                    01:f2:d1:e1:f6:7f:5e:46:03
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        88:19:da:50:9a:60:a8:80:2b:b4:fc:fd:c2:17:cd:80:c0:63:
        c4:72:50:b6:9a:8f:02:9e:8a:93:8f:75:20:e6:08:a0:91:14:
        8d:7c:fb:03:b6:60:74:10:b2:e4:86:2b:f3:b0:06:d0:9c:18:
        e6:0a:42:c4:eb:94:ff:51:ee:02:f2:b9:de:b7:43:5d:3b:70:
        e8:96:39:01:b0:66:30:46:dd:0b:75:19:d2:23:e3:f0:32:24:
        34:a2:21:6b:21:c1:2e:ab:b0:ef:c9:8b:3c:74:d3:72:9e:30:
        28:63:84:8b:0d:ba:67:26:df:ce:cb:b5:0d:54:dd:e3:9d:c2:
        26:09
#

The generated certificate is automatically stored by trustchk in /etc/security/certificates. The file name is the hexadecimal serial number (here 0x62636632) without the “0x” prefix:

# ls -l /etc/security/certificates/62636632
--wS--s---    1 root     system          454 Mar 24 18:14 /etc/security/certificates/62636632
#

By default, the username and host name are used as the issuer and subject. If you want to use your own information, you can do so using the “-D” (distinguished name) option:

# trustchk -k -s privkey_pwrcmps -v cert_pwrcmps -D "C=DE,ST=Bavaria,L=Munich,O=PowerCampus 01,OU=Dev"
Enter the passphrase to protect key file: XXXXXXXX
#

The certificate then contains the following information:

# openssl x509 -noout -text -in cert_pwrcmps
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 912418356 (0x36626634)
        Signature Algorithm: rsaEncryption
        Issuer: C = DE, ST = Bavaria, L = Munich, O = PowerCampus 01, OU = Dev
        Validity
            Not Before: May  8 00:00:00 2006 GMT
            Not After : May  8 00:00:00 2016 GMT
        Subject: C = DE, ST = Bavaria, L = Munich, O = PowerCampus 01, OU = Dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ad:dd:93:eb:13:56:66:08:c1:e1:ce:39:30:83:
                    be:f6:ee:ee:93:8f:c7:70:ea:3f:f2:10:44:77:2b:
                    c8:45:96:82:9f:8c:0e:b3:80:10:4a:eb:02:24:79:
                    20:df:ee:06:7c:9c:24:9f:c3:82:4f:3d:e5:52:34:
                    d5:bc:0f:f6:f7:0b:ab:e1:a1:97:a9:4c:dc:84:fd:
                    01:a3:f3:d5:c3:31:f0:9b:2f:30:a9:c4:fe:23:ef:
                    c8:28:cd:26:74:33:01:ce:ed:b3:ce:a9:cd:69:99:
                    b3:95:94:e8:ed:58:e8:6d:e4:0b:27:df:81:83:d0:
                    0a:39:f9:1d:6b:f8:8f:20:3d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        97:76:9d:1a:18:af:6f:25:7e:51:a7:50:8f:9c:79:5e:6f:09:
        25:df:40:2d:18:41:8a:ac:ea:ce:81:42:96:f9:fa:d0:30:78:
        62:23:99:0e:27:71:fa:35:90:34:46:93:05:a3:2e:fe:15:94:
        00:39:af:c7:f8:ab:93:9d:1a:40:8d:98:0b:4d:e4:65:90:44:
        8d:be:10:63:7f:95:6d:2f:02:d4:7e:c6:89:7a:a3:ba:8d:8c:
        1c:52:be:91:24:94:3b:e6:a7:78:99:cc:68:04:a9:bf:f1:65:
        95:ba:63:d0:d3:a4:f9:15:49:c2:f8:9c:89:26:39:54:d8:04:
        bc:4f
 #

Using the generated private key and certificate, signatures for your own files can then be created and entered into the TSD.