Tuesday, March 25, 2008

OpenSSL Cheatsheet

A. Generate your own CA

openssl req –x509 –days 1460 –newkey rsa:2048 –keyout ca-key.pem –out ca-crt.pem

Show Certificate Properties

openssl –x509 –in crt.pem –noout –text

Change Certificate to binary DER format

openssl –x509 –in ca-crt.pem –outform DER –out ca-crt.der

B. Generate a host certificate

Make the private key and CSR

openssl req –newkey rsa:1024 –keyout host-key.pem –out host-csr.pem

Sign the CSR by CA

If you have want to sign by the root CA specified in openssl.cnf,

openssl ca –in host-csr.pem –days 365 –out host-crt.pem –notext


openssl x509 -req -days 365 -in host-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out host-crt.pem

Export the certificate and the private key to PKCS#12 format

openssl pkcs12 –export –inkey host-key.pem \

-in host-crt.pem –name “panda” \

-certfile ca-crt.pem –caname “Panda CA” \

-out host-crt.p12

C. Another way to make the host certificate

1. openssl genrsa –des3 –out new-key.pem 1024
2. openssl req –new –days 3650 –key new-key.pem –out new-csr.pem
3. openssl ca –in new-csr.pem –keyfile ./demoCA/private/ca-key.pem –cert ./demoCA/ca-crt.pem –out new-crt.pem

D. Extract keys and cert from PKCS#12

openssl pkcs12 –in my-crt.p12 –clcerts –nokeys –out usr-crt.pem

openssl pkcs12 –in my-crt.p12 –nocerts –out usr-key.pem

E. Print out certificate hash value

openssl x509 -hash -noout –in ca-crt.pem

No comments: