Tuesday, March 25, 2008

OpenSSL Cheatsheet

A. Generate your own CA

openssl req –x509 –days 1460 –newkey rsa:2048 –keyout ca-key.pem –out ca-crt.pem


Show Certificate Properties

openssl –x509 –in crt.pem –noout –text


Change Certificate to binary DER format

openssl –x509 –in ca-crt.pem –outform DER –out ca-crt.der


B. Generate a host certificate


Make the private key and CSR

openssl req –newkey rsa:1024 –keyout host-key.pem –out host-csr.pem


Sign the CSR by CA

If you have want to sign by the root CA specified in openssl.cnf,

openssl ca –in host-csr.pem –days 365 –out host-crt.pem –notext



Otherwise,

openssl x509 -req -days 365 -in host-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out host-crt.pem


Export the certificate and the private key to PKCS#12 format

openssl pkcs12 –export –inkey host-key.pem \

-in host-crt.pem –name “panda” \

-certfile ca-crt.pem –caname “Panda CA” \

-out host-crt.p12


C. Another way to make the host certificate

1. openssl genrsa –des3 –out new-key.pem 1024
2. openssl req –new –days 3650 –key new-key.pem –out new-csr.pem
3. openssl ca –in new-csr.pem –keyfile ./demoCA/private/ca-key.pem –cert ./demoCA/ca-crt.pem –out new-crt.pem


D. Extract keys and cert from PKCS#12

openssl pkcs12 –in my-crt.p12 –clcerts –nokeys –out usr-crt.pem

openssl pkcs12 –in my-crt.p12 –nocerts –out usr-key.pem


E. Print out certificate hash value

openssl x509 -hash -noout –in ca-crt.pem




No comments:

Post a Comment