OpenSSL Tips & Tricks

Get into the correct directory:

cd /etc/pki/tls/certs

Generate key

openssl genrsa -des3 -out mike.key 4096

chmod 600 mike.key

Generate signing request

openssl req -new -key mike.key -out mike.csr

chmod 600 mike.csr

Get the CA to sign the request

openssl x509 -req -days 10000 -in mike.csr -out mike.cert \

-CA /etc/pki/tls/certs/ \

-CAkey /etc/pki/tls/certs/ -CAcreateserial

openssl pkcs12 -export -in mike.cert -inkey mike.key -out mike.p12

Other OpenSSL Tricks

To strip the passphrase from a key (I.E. decrypt it)

openssl rsa -in mike.key -out mike-nopass.key

To display a cert's contents:

openssl x509 -text -in mike.cert

Create a PEM file with key and cert included:

cat mike-nopass.key mike.cert > mike.pem

Verify that a cert is ok to use as an HTTPS cert:

openssl verify -purpose sslserver -CAfile /etc/pki/CA/cacert.pem /etc/pki/CA/certs/Milnet_HTTP.crt

Creating a new CA

  1. cd /etc/pki/CA
  2. openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ArmyCA.key -out certs/ArmyCA.crt -days 5000
  3. chmod 400 private/ArmyCA.key
  4. cd private
  5. ln -s ArmyCA.key cakey.pem
  6. cd ..
  7. ln -s certs/ArmyCA.crt cacert.pem
  8. openssl req -config ../tls/openssl.cnf -new -nodes -keyout private/Milnet_HTTP.key -out Milnet_HTTP.csr -days 5000
  9. openssl ca -config ../tls/openssl.cnf -policy policy_anything -out certs/Milnet_HTTP.crt -infiles Milnet_HTTP.csr
  10. cat certs/Milnet_HTTP.crt private/Milnet_HTTP.key > private/Milnet_HTTP-key-cert.pem