This document provides a comprehensive guide on installing and using OpenSSL for creating and managing PKI certificates, detailing procedures for generating certificate authorities and signing requests. It covers command-line instructions for different cryptographic functions and highlights the importance of public/private key pairs and certificate authorities in SSL security. Additionally, it includes examples of using MS Crypto API to create and manage certificates, along with regex test examples for email and phone number extraction.

1. OpenSSL &
MS Cryptography Service
Provider
PKI Certificates with MS Crypto API & OpenSSL
Max Kleiner, 2017

2. Start with OpenSSL
 The Secure Socket Layer protocol was created by
Netscape to ensure secure transactions between web
servers and browsers. The protocol uses a third party, a
Certificate Authority (CA), to identify one end or both
end of the transactions. This is in short how it works.
http://www.softwareschule.ch/download/maxbox_starter47.pdf
The encryption using a private key/public key pair ensures
that the data can be encrypted by one key but can only be
decrypted by the other key. The trick in a key pair is to
keep one key secret (private key) and to distribute the other
key (public key) to everybody.
2

3. Install OpenSSL
 Nowadays, you do not have to worry too much about
installing OpenSSL: most distributions use package
management applications (see next).
www.softwareschule.ch/maxbox.htm
https://www.openssl.org/
The directory for all OpenSSL certificates is /var/ssl/.
OpenSSL by default looks for a configuration file
in /usr/lib/ssl/openssl.cnf so always add −config
/etc/openssl.cnf to the commands openssl ca or
openssl req for instance.
3
maXboxDelphiSystem

4. THE COMMAND TOOL
OpenSSL includes a command line utility openssl.exe that
can be used to perform a variety of cryptography functions
like generating your machine certificate in [/CERT].
 The libraries have no noteworthy dependencies just copy
both DLL files into your application directory
 libeay32.dll / ssleay32.dll
Get the SLL binary download Package:
 https://indy.fulgan.com/SSL/openssl-1.0.2l-i386-
win32.zip
4

5. Create the Certification Authority
 To create a certification authority, use the following
commands after correctly editing openssl.cnf and open
openssl.exe of OpenSSL v1.0.2l:
 CA.pl −newca
The utility will ask you to select a certificate
file to act as you CA certificate or you are
prompted to create one. Follow the steps to
create one as exercise.
5
maXboxDelphiSystem

6. Create a Root Certification CA (selfsigned)
 First set a const space:
Const
OpenSSLPath='..pki2017openssl-1.0.2l-i386-win32';
2. Create the Root CA (private key pair)
ExecuteShell(OpenSSLPath+'openssl.exe',
'genrsa -des3 -out
'+OpenSSLPath+'./certs/CA_pvkmX42.pem 2048')
3. Check the key pair
rsa -in .certs3CA_pvkmX42.pem -check
6

7. We sign with private key to make a certificate
of our CA
 4. We generate CA_Cert with signing of private to make a
certificate of CA
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -x509 -days 900 -key
'+OpenSSLPath+'./certs/CA_pvkmX42.pem -out
'+OpenSSLPath+'./certs/CA_crt.pem -config
'+OpenSSLPath+'./openssl.cnf')
//}
5. Check the key cert
rsa -in .certs3CA_crt.pem -check
7

8. Create a Host Cert key pair
 Second we need the host private key
6. Create the Host (private key pair)
ExecuteShell(OpenSSLPath+'openssl.exe',
'genrsa -des3 -out
'+OpenSSLPath+'./certs/host_pvkmX42.pem 2048')
7. Check the key
rsa -in .certshost_pvkmX42.pem -check
8

9. Create a Host Cert Request
 We sign the host private from the CA (machine
certificate) and generate and sign a certificate request
 8. Create the Host csr cert sign request
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -key
'+OpenSSLPath+'./certs/host_pvkmX42.pem -out
'+OpenSSLPath+'./certs/host_csr.pem -config
'+OpenSSLPath+'./openssl.cnf')
Enter a Common Name (CN) the main usage of the certificate for instance www.max.org if
you want to secure the website www.max.org, or enter max@max.org if you want to use to
secure the e−mails
9

10. Sign and create the Host Cert
 We let sign the host private request (machine certificate)
and out is the wanted host_crt.pem
 9. Create the Host Cert as a web certificate
ExecuteShell(OpenSSLPath+'openssl.exe',
'ca -out
'+OpenSSLPath+'./certs/host_crt.pem -in
'+OpenSSLPath+'./certs/host_csr.pem -cert
'+OpenSSLPath+'./certs/CA_crt.pem -keyfile
'+OpenSSLPath+'./certs/CA_pvkmX42.pem -config
'+OpenSSLPath+'./openssl.cnf')
10

11. Verify CA and Host Cert
 10. we verify the cert's chain
ExecuteShell(OpenSSLPath+'openssl.exe',
'verify -verbose -CAfile certs/CA_crt.pem
-CApath certs certs/host_pvkmX42.pem')
Or
writeln(getDosOutput('openssl.exe verify -verbose
-CAfile certs/CA_cert.pem -CApath certs
certs/host_crt.pem',OpenSSLPath));
11

12. Convert to PKCS#12
 Convert a PEM cert file and a private key to a PKCS#12
(.pfx .p12), you get a file that you import in the Certificate
store by clicking on the file when in Windows.


ExecuteShell('cmd.exe','/k
'+OpenSSLPath+'openssl.exe '+
'pkcs12 -export -out
'+OpenSSLPath+'/certs/CERT_PFX.pfx -inkey
'+OpenSSLPath+'/certs/PVK_host.pem -in
'+OpenSSLPath+'/certs/CERT_host_crt.pem -certfile
'+OpenSSLPath+'/certs/CA_crt.pem') // }
12

13. THE TEST OVERVIEW
OpenSSL Precompiled Binaries for Win32 test:
sr:= loadfromfile(OpenSSLExe+'openssl.exe')
writeln(getsha256(sr))
sleep(500)
writeln((SHA1(OpenSSLExe+'openssl.exe')))
sr:= loadfromfile(OpenSSLExe+'ssleay32.dll')
writeln('ssleay32.dll sha256: '+getSHA256(sr))
sr:= loadfromfile(OpenSSLExe+'libeay32.dll')
writeln('libeay32.dll sha256: '+getSHA256(sr))
13

14. Process Overview
// we generate the private key pair of the CA:
1. openssl genrsa -des3 -out ./MyDemo/certs/CA_pvk.pem 2048
// we generate CA_Cert sign the private to make a certificate of CA
2. openssl req -new -x509 -days 365 -key ./MyDemo/certs/CA_pvk.pem -out
./MyDemo/certs/CA_crt.pem -config ./openssl.cnf
// we need the host private key
3. openssl genrsa -des3 -out ./MyDemo/crl/host_pvk.pem 2048
// we sign the host private from the CA (machine certificate)
4. openssl req -new -key ./MyDemo/crl/host_pvk.pem -out
./MyDemo/crl/host_csr.pem -config ./openssl.cnf
5. openssl ca -out ./MyDemo/crl/host_crt.pem -in ./MyDemo/crl/host_csr.pem
-cert ./MyDemo/certs/CA_crt.pem -keyfile ./MyDemo/certs/CA_pvk.pem -config
./openssl.cnf // we verify the cert's
6. openssl verify -verbose -CAfile ./MyDemo/certs/CA_crt.pem -CApath
./MyDemo ./MyDemo/crl/host_crt.pem
the result is: ./MyDemo/crl/host_crt.pem: OK 14
maXboxDelphiSystem

15. MS Crypto API
We do this with a tool from MS called makecert. Most
certificates in common use are based on the X.509 v3
certificate standard. First I open the shell with the MS
SDK:
C:maXboxEKON_BASTAEKON19Windows
Kits10binx64>
C:Program FilesMicrosoft
SDKsWindowsv7.1Bin> makecert -n
"CN=maXboxCertAuth" -cy authority -a
sha1 -sv "maXboxPrivateKey3.pvk" -r
"maXboxCertAuth3.cer" Succeeded
15

16. Sign Key for Digital Signing
Ref: maxbox_digital_signature_report.pdf
Next we create the second certificate with the purpose to
sign all files we want. In our case, you remember, we want
to sign an executable:
C:Program FilesMicrosoft
SDKsWindowsv7.1Bin>makecert -n
"CN=maXbox3signer" -ic maxboxcertauth3.cer
-iv maXboxprivatekey3.pvk -a sha1 -sky
exchange -pe -sv
maxbox3signerprivatekey.pvk
maxboxsigner.cer Succeeded
16
maXboxDelphiSystem

17. COMMONLY USED PFX:
17
maXboxDelphiSystem
You need both the public and private keys for an official SSL
Certificate to function. So, if you need to transfer your SSL
Certificates from one server to another, you need to export is
as a .pfx file. Now we generate that as well with the shell:
C:Program FilesMicrosoft
SDKsWindowsv7.1Bin>pvk2pfx -pvk
"maXboxPrivateKey3 .pvk" -spc
maXboxCertAuth3.cer -pfx
maXboxCertAuth3.pfx -pi password

18. Sign an executable
So it's time to make the last step namely to sign our
executable with another shell tool called signtool:
C:maXboxEKON_BASTAEKON19Windows
Kits10binx64>signtool sign /f
"maxboxsigner.pfx" /p "password" /tr
http://tsa.starfieldtech.com /td SHA256
C:maxboxmaxbox3work2015maxbox3digisign_
certificatesmaxbox44.exe
Done Adding Additional Store Successfully
signed:
C:maxboxmaxbox3work2015maxbox3digisign_
certificatesmaXbox44.exe
18

19. Certificate Store
Next I want to stress the chain of certificate (block chain is
one of the next big thing).
http://www.softwareschule.ch/download/maxbox_starter54.pdf
A certificate authority themselves have a certificate with
which they digitally sign all the certificates they issue. My
machine (and pretty much everyone's) has a store of the
certificates (see first picture) of these different certificate
authorities.
The computer then knows that if its sees any certificate that
has been signed by one of these trusted certificate
authorities' certificate, then the machine should trust that
certificate.
19

20. Regex Test EXAMPLE: Mail Finder
20
maXboxDelphiSystem
procedure delphiRegexMailfinder;
begin
// Initialize a test string to include some email addresses. This
would normally be your eMail.
TestString:= '<one@server.domain.xy>, another@otherserver.xyz';
PR:= TPerlRegEx.Create;
try
PR.RegEx:= 'b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b';
PR.Options:= PR.Options + [preCaseLess];
PR.Compile;
PR.Subject:= TestString; // <-- tell PR where to look for matches
if PR.Match then begin
WriteLn(PR.MatchedText); // Extract first address
while PR.MatchAgain do
WriteLn(PR.MatchedText); // Extract subsequent addresses
end;
finally
PR.Free;
end;
//Readln;
end;

21. EXAMPLE: HTTP RegEx[ ]
21
maXboxDelphiSystem
% cat get russian rouble rate - datafile
procedure getHttpREGEX(Sender: TObject);
var http1: TIDHTTP;
htret: string;
begin
http1:= TIDHTTP.Create(self);
htret:= HTTP1.Get('http://win.www.citycat.ru/finance/finmarket/_CBR/');
//writeln(htret);
with TRegExpr.Create do try
Expression:= russTemplate;
if Exec(htret) then begin
//if output success
writeln(Format ('Russian rouble rate at %s.%s.%s: %s',
[Match [2], Match [1], Match [3], Match [4]]));
end;
//writeln(dump)
finally Free;
end;
//text2html
//writeln('deco: '+#13+#10+DecorateURLs(htret,[durlAddr, durlPath]))
end;

22. EXAMPLE: Extract Phones<city code 812
22
maXboxDelphiSystem
% cat grep-delphi-maXbox_datafile
procedure ExtractPhones(const AText: string; APhones: TStrings);
begin
with TRegExpr.Create do try
Expression := '(+d*)?(((d+))*)?(d+(-d*)*)';
if Exec (AText) then
REPEAT
if Match[3] = '812'
then APhones.Add(Match [4]);
UNTIL not ExecNext;
finally Free;
end;
end;
writeln('Formula Gauss : '+
floatToSTr(maXcalc('1/SQRT(2*PI*3^2)*EXP((-
0.0014^2)/(2*3^2))')));

23. 23
Regex Atoms
An atom specifies what text is to be matched and where
it is to be found.

24. 24
Example: Classes

25. SUMMARY
 OpenSSL Certificates
 MS Crypto API Certificates
 Regex Test Examples
 Certificate Store
https://maxbox4.wordpress.com/
25
maXboxDelphiSystem