18th April 2011

OpenSSL Reference

Creating, Requesting, Signing Certificates

Generate CA root certificate and key in PEM format:

openssl req -new -newkey rsa:1024 -days 3650 \
    -config ca.cnf -extensions v3_ca \
    -subj '/C=CH/ST=ZH/L=Uster/O=Example Com/OU=Tech/CN=Example Root CA/' \
    -nodes -x509 -sha1 -set_serial 0 \
    -keyout ca.key -out ca.cert
cat ca.key ca.cert > ca.pem

With ca.cnf containing:

[ req ]
distinguished_name = reqdn

[ reqdn ]

[ v3_ca ]
basicConstraints                        = CA:TRUE
subjectKeyIdentifier                    = hash
authorityKeyIdentifier                  = keyid:always,issuer:always

Generate self-signed server certificate and key in PEM format:

openssl req -new -newkey rsa:1024 -days 365 \
    -subj '/C=CH/ST=ZH/L=Uster/O=Example Com/OU=Tech/CN=www.example.com/' \
    -nodes -x509 -sha1 -keyout www.example.com.key \
    -out www.example.com.cert
cat www.example.com.cert www.example.com.key > www.example.com.pem

Create certificate signing request (CSR):

openssl genrsa -out www.example.com.key 1024
openssl req -new -sha256 \
    -subj '/C=CH/ST=ZH/L=Uster/O=ExampleCom/OU=Tech/CN=www.example.com/' \
    -key www.example.com.key -out www.example.com.csr

Sign CSR using CA:

openssl x509 -req -sha256 -CAcreateserial -in www.example.com.csr \
    -days 365 -CA ca.cert -CAkey ca.key -out www.example.com.cert
cat www.example.com.cert www.example.com.key > www.example.com.pem

View Certificate:

openssl x509 -in www.example.com.cert -text

PKCS#12

Convert PEM to PKCS#12:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12

Convert PKCS#12 to PEM:

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

View PKCS#12:

openssl pkcs12 -info -nodes -in cred.p12

CRL

View CRL:

openssl crl -text -CAfile ca.cert -in crl.pem
openssl crl -text -in microsoft.crl -inform DER

References


Back to Knowledge Base.