quick & dirty openssl... keys, certificates

BEFORE I START
How to get openssl help?
Code:
openssl help
help is not valid openssl command, but that seams to be the only way to get openssl commands :)

now if you need help about something more specific
try
Code:
openssl OPENSSL_COMMAND -help
or simply
Code:
openssl OPENSSL_COMMAND
[correct me if i'm wrong, and there is a better way]

or read openssl(1)


GENERATING RSA KEY
RSA keys can be used for signing and encrypting/decrypting

Generate password protected 4096 bit RSA private key
Code:
openssl genrsa -aes256 -out privkey.key 4096
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password

Generating password unprotected 4096 bit RSA private key
Code:
openssl genrsa -out privkey.key 4096

GENERATING DSA KEY
DSA keys can be used for signing only

Generate parameters from which to generate the key
Code:
openssl dsaparam -out dsaparam.pem 4096

Generate password protected DSA key using the parameters in question
Code:
openssl gendsa -aes256 -out privkey.key dsaparam.pem
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password

Generate password unprotected DSA key using the parameters in question
Code:
openssl gendsa -out privkey.key dsaparam.pem

CREATING A CERTIFICATE REQUEST
openssl req -new -key privkey.key -out cert.csr
Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use


CREATING A SELF-SIGNED CERTIFICATE
Code:
openssl req -new -x509 -key privkey.key -out newcert.pem -days 1095
gilinko said:
When asked for "YOUR name" in these dialogs you enter the full domain name(ie http://www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.


CREATE SELF-SIGNED CERTIFICATE FROM A CERTIFICATE SIGNING REQUEST
Code:
openssl req -new -x509 -in cert.csr -key privkey.key -out newcert.pem -days 1095
gilinko said:
When asked for "YOUR name" in these dialogs you enter the full domain name(ie http://www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.


GET CERTIFICATE HASH
Code:
openssl x509 -noout -hash -in newcert.pem


CONVERTING CERTIFICATE TO/FROM PKCS #12 FORMAT
pem to pcsk 12
Code:
openssl pkcs12 -export -in newcert.pem -inkey privkey.key -out newcert.p12
pcsk 12 to pem
Code:
openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts

VIEW CERTIFICATE IN HUMAN READABLE MANNER
pem format
Code:
openssl x509 -text -noout -in newcert.pem
pkcs 12 format
Code:
openssl pkcs12 -info -nodes -in newcert.p12


ENCRYPT/DECRYPT PRIVATE KEY
When you use encrypted private key openssl will ask password.
Encrypt
Code:
openssl rsa -aes256 -in unencrypted_privkey.key -out encrypted_privkey.key
Decrypt
Code:
openssl rsa -aes256 -in encrypted_privkey.key -out unencrypted_privkey.key


VIEW CERTIFICATE SIGNER
Code:
openssl x509 -in newcert.pem -noout -issuer -issuer_hash


VERIFY A CERTIFICATE MATCHES A PRIVATE KEY
Code:
openssl x509 -in newcert.pem -noout -modulus > cert.txt
openssl rsa -in privkey.key -noout -modulus > key.txt
diff cert.txt key.txt
rm cert.txt key.txt


GENEREATE PUBLIC RSA/DSA KEY
RSA
privkey.key must be RSA
Code:
openssl rsa -in privkey.key  -pubout -out pub.key
DSA
privkey.key must be DSA
Code:
openssl dsa -in privkey.key  -pubout -out pub.key


REVOKE CERTIFICATE
Code:
openssl -revoke newcert.pem


filename description used here
Code:
private.pem		- private key (password encrypted or not)
dsaparam.pem		- dsa parameters used to generate dsa private key
cacert.pem		- certificate used to sign other certificates (CA certificate)
newcert.pem		- you certificate
newcert.p12		- your certificate in pcsk 12 format
cert.csr		- certificate request


NOTES:
all above can be done using /usr/src/crypto/openssl/apps/CA.pl in simplified manner


REFERENCES:
http://www.openssl.org/docs/HOWTO/certificates.txt
http://www.openssl.org/docs/HOWTO/keys.txt
openssl(1)
http://www.freebsddiary.org/openssl-client-authentication.php
ca(1)
/usr/src/crypto/openssl/apps/CA.pl
http://www.madboa.com/geek/openssl/
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php

SEE ALSO:
http://www.freebsddiary.org/apache13-modssl.php
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html

P.S.
For more information, please read resources provided above, they are very well written, and much more verbose
This is about all I wanted to write today.... anyone have anything to add?
Got questions? Shoot here! I'll try to answer....


EDIT:
renamed privkey.pem to privkey.key
 
An important note

You should probably use RSA instead of DSA to generate server certificates.
However if you generated DSA certificate make sure you don't generate key longer than 1024 bytes, otherwise Firefox and Chrome (and everything else using NSS. will not be able to connect to your https website (Opera and Safari will work just fine).

This is bug in NSS:
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=475578

An important note 2
It looks like Opera is suffering performance issues, when connecting to HTTPS that use RSA certificate with 4096 bytes (at least in my case). It may take up to 13-30 seconds for initial connection. After that it seams to work fine, until session timeouts. This is really painful. All other browsers (Including Internet Explorer) works fine.
 
Thanks this is very useful quickstart manual. But I'm iterested, is there a way to make self-signed ssl certificates that don't warn user about certificates, or even make a green url bar? It's possible without CA centre (self-signed)?
 
Alt said:
But I'm iterested, is there a way to make self-signed ssl certificates that don't warn user about certificates, or even make a green url bar? It's possible without CA centre (self-signed)?

Yes. But you need to include the signing CA certificate in your browsers list of 'acceptable' CAs. I was only able to find a Windows How-To, but the general idea should be the same: http://support.microsoft.com/kb/295663
 
Or you can use CAcert certificate for free (You still need to import CAcert root certificate), however after that, everything you expect will work including certificate revocation check
 
Back
Top