openssl req –x509 –days 1460 –newkey rsa:2048 –keyout ca-key.pem –out ca-crt.pem
Show Certificate Properties
openssl –x509 –in crt.pem –noout –text
Change Certificate to binary DER format
openssl –x509 –in ca-crt.pem –outform DER –out ca-crt.der
B. Generate a host certificate
Make the private key and CSR
openssl req –newkey rsa:1024 –keyout host-key.pem –out host-csr.pem
Sign the CSR by CA
If you have want to sign by the root CA specified in openssl.cnf,
openssl ca –in host-csr.pem –days 365 –out host-crt.pem –notext
Otherwise,
openssl x509 -req -days 365 -in host-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out host-crt.pem
Export the certificate and the private key to PKCS#12 format
openssl pkcs12 –export –inkey host-key.pem \
-in host-crt.pem –name “panda” \
-certfile ca-crt.pem –caname “Panda CA” \
-out host-crt.p12
C. Another way to make the host certificate
1. openssl genrsa –des3 –out new-key.pem 1024
2. openssl req –new –days 3650 –key new-key.pem –out new-csr.pem
3. openssl ca –in new-csr.pem –keyfile ./demoCA/private/ca-key.pem –cert ./demoCA/ca-crt.pem –out new-crt.pem
D. Extract keys and cert from PKCS#12
openssl pkcs12 –in my-crt.p12 –clcerts –nokeys –out usr-crt.pem
openssl pkcs12 –in my-crt.p12 –nocerts –out usr-key.pem
E. Print out certificate hash value
openssl x509 -hash -noout –in ca-crt.pem
No comments:
Post a Comment