2 ***** Create a self signed cert ************
4 1) openssl genrsa 1024 > client-key.pem
6 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem
8 3) note md5 would be -md5
10 -- adding metadata to beginning
12 3) openssl x509 -in client-cert.pem -text > tmp.pem
14 4) mv tmp.pem client-cert.pem
17 ***** Create a CA, signing authority **********
19 same as self signed, use ca prefix instead of client
22 ***** Create a cert signed by CA **************
24 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem
26 * note if using exisitng key do: -new -key keyName
28 2) copy ca-key.pem ca-cert.srl (why ????)
30 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
33 ***** Adding Subject Key ID and Authentication Key ID extensions to a cert *****
35 Create a config file for OpenSSL with the example contents:
38 subjectKeyIdentifier=hash
39 authorityKeyIdentifier=keyid
41 Add to the openssl command for creating a cert signed by a CA step 3 the
44 -extfile <file.cnf> -extensions skidakid
46 anywhere before the redirect. This will add the cert's public key hash as the
47 Subject Key Identifier, and the signer's SKID as the Authentication Key ID.
50 ***** To create a dsa cert ********************
52 1) openssl dsaparam 512 > dsa512.param # creates group params
54 2) openssl gendsa dsa512.param > dsa512.pem # creates private key
56 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem
61 ***** To convert from PEM to DER **************
63 a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
65 to convert rsa private PEM to DER :
67 b) openssl rsa -in key.pem -outform DER -out key.der
70 **** To encrypt rsa key already in pem **********
72 a) openssl rsa <server-key.pem.bak -des >server-keyEnc.pem
74 note location of des, pass = yassl123
77 *** To make a public key from a private key ******
80 openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub
83 **** To convert to pkcs8 *******
85 openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem
88 **** To convert to pkcs8 encrypted *******
90 openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem
94 to use PKCS#5 v2 instead of v1.5 which is default add
96 -v2 des3 # file Pkcs8Enc2
98 to use PKCS#12 instead use -v1 witch a 12 algo like
100 -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info
101 -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default
104 **** To convert from pkcs8 to traditional ****
106 openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem
111 openssl dhparam 2048 > dh2048.param
115 openssl dhparam -in dh2048.param -text > dh2048.pem
121 to see types available do
122 openssl ecparam -list_curves
125 openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem
127 convert to compressed
128 openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem
134 a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
136 Error No ./CA root/index.txt so:
138 b) touch ./CA root/index.txt
142 Error No ./CA root/crlnumber so:
144 c) touch ./CA root/crlnumber
148 Error unable to load CRL number
150 d) add '01' to crlnumber file
156 openssl crl -in crl.pem -text
160 openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem
162 Then regenerate crl with a)
166 openssl verify -CAfile ./ca-cert.pem ./server-cert.pem
170 Make file with both ca and crl
172 cat ca-cert.pem crl.pem > ca-crl.pem
174 openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem