The OpenSSL Project develops and maintains the OpenSSL software – a robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication. The project’s technical decision making is managed by the OpenSSL Technical Committee (OTC) and the project governance is managed by the OpenSSL Management Committee (OMC).
General Commands
Following contains an overview of useful commands
Check contents of a CSR openssl req -text -noout -verify -in CSR.csr Check a Private Key openssl rsa -in privateKey.key -check Check contents of a Certificate openssl x509 -in certificate.crt -text -noout Check contents of a PKCS#12 openssl pkcs12 -info -in keyStore.p12 Verify a Private Key matches Certificate sudo aopenssl x509 -noout -modulus -in cert.crt | openssl md5 openssl rsa -noout -modulus -in privkey.txt | openssl md5 Convert DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem Convert DER to PEM openssl x509 -outform der -in certificate.pem -out certificate.der Convert PKCS#12 to PEM openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes Convert PEM to PKCS#12 openssl pkcs12 -export -out keystore.pfx -inkey ssl.key -in ssl.crt -certfile CACert.crt
Certificate Generation and Signing
Create a private key with a 2048 size
# genrsa -out example.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ..................................................+++++ e is 65537 (0x010001)
Create an openssl request configuration file as an example openssl-example.cnf
The _default entries will be used to fill-in the default question entries.
[ req ] default_bits = 2048 default_keyfile = example.key distinguished_name = req_distinguished_name attributes = req_attributes req_extensions = v3_req x509_extensions = v3_ca dirstring_type = nobmp [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = NL countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Zuid Holland localityName = Locality Name (eg, city) localityName_default = Rotterdam organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = My Organization commonName = Common Name (FQDN or YOUR name) commonName_max = 64 commonName_default = host.mydomain.org emailAddress = Email Address emailAddress_max = 40 emailAddress_default = admin@mydomain.org [ req_attributes ] challengePassword = A challenge password challengePassword_min = 12 challengePassword_max = 20 [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true [ alt_names ] DNS.1 = host DNS.2 = host.mydomain.org IP.1 = 192.168.100.43
Generate a CSR
# openssl req -new -key example.key -out example.csr -config openssl-example.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [NL]: State or Province Name (full name) [Zuid Holland]: Locality Name (eg, city) [Rotterdam]: Organizational Unit Name (eg, section) [My Organization]: Common Name (e.g. server FQDN or YOUR name) [example]: example.mydomain.com Email Address [admin@mydomain.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
This CSR can now be signed by your Certificate Authority.