2 ***** Create a self signed cert ************
4 1) openssl genrsa 512 > client-key.pem
6 2) openssl req -new -x509 -nodes -md5 -days 1000 -key client-key.pem > client-cert.pem
8 3) note sha1 would be -sha1
10 -- adding metadata to beginning
12 3) openssl x509 -in client-cert.pem -text > tmp.pem
14 4) mv tmp.pem client-cert.pem
17 ***** Create a CA, signing authority **********
19 same as self signed, use ca prefix instead of client
22 ***** Create a cert signed by CA **************
24 1) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem
26 * note if using exisitng key do: -new -key keyName
28 2) copy ca-key.pem ca-cert.srl (why ????)
30 3) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
34 ***** To create a dsa cert ********************
36 1) openssl dsaparam 512 > dsa512.param # creates group params
38 2) openssl gendsa dsa512.param > dsa512.pem # creates private key
40 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem
45 ***** To convert from PEM to DER **************
47 a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
49 to convert rsa private PEM to DER :
51 b) openssl rsa -in key.pem -outform DER -out key.der
54 **** To encrypt rsa key already in pem **********
56 a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem
58 note location of des, pass = yassl123
61 *** To make a public key from a private key ******
64 openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub
67 **** To convert to pkcs8 *******
69 openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem
72 **** To convert to pkcs8 encrypted *******
74 openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem
78 to use PKCS#5 v2 instead of v1.5 which is default add
80 -v2 des3 # file Pkcs8Enc2
82 to use PKCS#12 instead use -v1 witch a 12 algo like
84 -v1 PBE-SHA1-RC4-128 # file Pkcs8Enc12 , see man pkcs8 for more info
87 **** To convert from pkcs8 to traditional ****
89 openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem
94 openssl dhparam 2048 > dh2048.param
98 openssl dhparam -in dh2048.param -text > dh2048.pem
104 to see types available do
105 openssl ecparam -list_curves
108 openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem
115 a) openssl ca -gencrl -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
117 Error No ./CA root/index.txt so:
119 b) touch ./CA root/index.txt
123 Error No ./CA root/crlnumber so:
125 c) touch ./CA root/crlnumber
129 Error unable to load CRL number
131 d) add '01' to crlnumber file
137 openssl crl -in crl.pem -text
141 openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
143 Then regenerate crl with a)
147 openssl verify -CAfile ./ca-cert.pem ./server-cert.pem
151 Make file with both ca and crl
153 cat ca-cert.pem crl.pem > ca-crl.pem
155 openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem