graudeejs
August 23rd, 2009, 14:52
BEFORE I START
How to get openssl help?
openssl help
help is not valid openssl command, but that seams to be the only way to get openssl commands :)
now if you need help about something more specific
try
openssl OPENSSL_COMMAND -help
or simply
openssl OPENSSL_COMMAND
[correct me if i'm wrong, and there is a better way]
or read openssl
GENERATING RSA KEY
RSA keys can be used for signing and encrypting/decrypting
Generate password protected 4096 bit RSA private key
openssl genrsa -aes256 -out privkey.key 4096
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password
Generating password unprotected 4096 bit RSA private key
openssl genrsa -out privkey.key 4096
GENERATING DSA KEY
DSA keys can be used for signing only
Generate parameters from which to generate the key
openssl dsaparam -out dsaparam.pem 4096
Generate password protected DSA key using the parameters in question
openssl gendsa -aes256 -out privkey.key dsaparam.pem
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password
Generate password unprotected DSA key using the parameters in question
openssl gendsa -out privkey.key dsaparam.pem
CREATING A CERTIFICATE REQUEST
openssl req -new -key privkey.key -out cert.csr
Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use
CREATING A SELF-SIGNED CERTIFICATE
openssl req -new -x509 -key privkey.key -out newcert.pem -days 1095
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
CREATE SELF-SIGNED CERTIFICATE FROM A CERTIFICATE SIGNING REQUEST
openssl req -new -x509 -in cert.csr -key privkey.key -out newcert.pem -days 1095
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
GET CERTIFICATE HASH
openssl x509 -noout -hash -in newcert.pem
CONVERTING CERTIFICATE TO/FROM PKCS #12 FORMAT
pem to pcsk 12
openssl pkcs12 -export -in newcert.pem -inkey privkey.key -out newcert.p12
pcsk 12 to pem
openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts
VIEW CERTIFICATE IN HUMAN READABLE MANNER
pem format
openssl x509 -text -noout -in newcert.pem
pkcs 12 format
openssl pkcs12 -info -nodes -in newcert.p12
ENCRYPT/DECRYPT PRIVATE KEY
When you use encrypted private key openssl will ask password.
Encrypt
openssl rsa -aes256 -in unencrypted_privkey.key -out encrypted_privkey.key
Decrypt
openssl rsa -aes256 -in encrypted_privkey.key -out unencrypted_privkey.key
VIEW CERTIFICATE SIGNER
openssl x509 -in newcert.pem -noout -issuer -issuer_hash
VERIFY A CERTIFICATE MATCHES A PRIVATE KEY
openssl x509 -in newcert.pem -noout -modulus > cert.txt
openssl rsa -in privkey.key -noout -modulus > key.txt
diff cert.txt key.txt
rm cert.txt key.txt
GENEREATE PUBLIC RSA/DSA KEY
RSA
privkey.key must be RSA
openssl rsa -in privkey.key -pubout -out pub.key
DSA
privkey.key must be DSA
openssl dsa -in privkey.key -pubout -out pub.key
REVOKE CERTIFICATE
openssl -revoke newcert.pem
filename description used here
private.pem - private key (password encrypted or not)
dsaparam.pem - dsa parameters used to generate dsa private key
cacert.pem - certificate used to sign other certificates (CA certificate)
newcert.pem - you certificate
newcert.p12 - your certificate in pcsk 12 format
cert.csr - certificate request
NOTES:
all above can be done using /usr/src/crypto/openssl/apps/CA.pl in simplified manner
REFERENCES:
http://www.openssl.org/docs/HOWTO/certificates.txt
http://www.openssl.org/docs/HOWTO/keys.txt
openssl
http://www.freebsddiary.org/openssl-client-authentication.php
ca
/usr/src/crypto/openssl/apps/CA.pl
http://www.madboa.com/geek/openssl/
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php
SEE ALSO:
http://www.freebsddiary.org/apache13-modssl.php
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
P.S.
For more information, please read resources provided above, they are very well written, and much more verbose
This is about all I wanted to write today.... anyone have anything to add?
Got questions? Shoot here! I'll try to answer....
EDIT:
renamed privkey.pem to privkey.key
How to get openssl help?
openssl help
help is not valid openssl command, but that seams to be the only way to get openssl commands :)
now if you need help about something more specific
try
openssl OPENSSL_COMMAND -help
or simply
openssl OPENSSL_COMMAND
[correct me if i'm wrong, and there is a better way]
or read openssl
GENERATING RSA KEY
RSA keys can be used for signing and encrypting/decrypting
Generate password protected 4096 bit RSA private key
openssl genrsa -aes256 -out privkey.key 4096
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password
Generating password unprotected 4096 bit RSA private key
openssl genrsa -out privkey.key 4096
GENERATING DSA KEY
DSA keys can be used for signing only
Generate parameters from which to generate the key
openssl dsaparam -out dsaparam.pem 4096
Generate password protected DSA key using the parameters in question
openssl gendsa -aes256 -out privkey.key dsaparam.pem
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password
Generate password unprotected DSA key using the parameters in question
openssl gendsa -out privkey.key dsaparam.pem
CREATING A CERTIFICATE REQUEST
openssl req -new -key privkey.key -out cert.csr
Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use
CREATING A SELF-SIGNED CERTIFICATE
openssl req -new -x509 -key privkey.key -out newcert.pem -days 1095
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
CREATE SELF-SIGNED CERTIFICATE FROM A CERTIFICATE SIGNING REQUEST
openssl req -new -x509 -in cert.csr -key privkey.key -out newcert.pem -days 1095
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
GET CERTIFICATE HASH
openssl x509 -noout -hash -in newcert.pem
CONVERTING CERTIFICATE TO/FROM PKCS #12 FORMAT
pem to pcsk 12
openssl pkcs12 -export -in newcert.pem -inkey privkey.key -out newcert.p12
pcsk 12 to pem
openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts
VIEW CERTIFICATE IN HUMAN READABLE MANNER
pem format
openssl x509 -text -noout -in newcert.pem
pkcs 12 format
openssl pkcs12 -info -nodes -in newcert.p12
ENCRYPT/DECRYPT PRIVATE KEY
When you use encrypted private key openssl will ask password.
Encrypt
openssl rsa -aes256 -in unencrypted_privkey.key -out encrypted_privkey.key
Decrypt
openssl rsa -aes256 -in encrypted_privkey.key -out unencrypted_privkey.key
VIEW CERTIFICATE SIGNER
openssl x509 -in newcert.pem -noout -issuer -issuer_hash
VERIFY A CERTIFICATE MATCHES A PRIVATE KEY
openssl x509 -in newcert.pem -noout -modulus > cert.txt
openssl rsa -in privkey.key -noout -modulus > key.txt
diff cert.txt key.txt
rm cert.txt key.txt
GENEREATE PUBLIC RSA/DSA KEY
RSA
privkey.key must be RSA
openssl rsa -in privkey.key -pubout -out pub.key
DSA
privkey.key must be DSA
openssl dsa -in privkey.key -pubout -out pub.key
REVOKE CERTIFICATE
openssl -revoke newcert.pem
filename description used here
private.pem - private key (password encrypted or not)
dsaparam.pem - dsa parameters used to generate dsa private key
cacert.pem - certificate used to sign other certificates (CA certificate)
newcert.pem - you certificate
newcert.p12 - your certificate in pcsk 12 format
cert.csr - certificate request
NOTES:
all above can be done using /usr/src/crypto/openssl/apps/CA.pl in simplified manner
REFERENCES:
http://www.openssl.org/docs/HOWTO/certificates.txt
http://www.openssl.org/docs/HOWTO/keys.txt
openssl
http://www.freebsddiary.org/openssl-client-authentication.php
ca
/usr/src/crypto/openssl/apps/CA.pl
http://www.madboa.com/geek/openssl/
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php
SEE ALSO:
http://www.freebsddiary.org/apache13-modssl.php
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
P.S.
For more information, please read resources provided above, they are very well written, and much more verbose
This is about all I wanted to write today.... anyone have anything to add?
Got questions? Shoot here! I'll try to answer....
EDIT:
renamed privkey.pem to privkey.key