OpenSSL notes

Here you can find tutorials and notes for server-side maintenance/configuration

OpenSSL notes

Postby lik » Tue Jan 26, 2010 12:09 pm


* req = certificate signing request
* key = unencrypted private key
* pem = encrypted private key
* crt = signed certificate

Create a Certificate Signing request

1. Create an RSA key and a signing request
Code: Select all
openssl req -new -days 3650 -config <config file> -out certreq.req -keyout server.pem

2. The -config is optional.
3. The PEM passphrase requested is the passphrase for encrypting server.pem. Some applications may require an unencrypted key (eg stunnel) but it is good practice to encrypt the key and create a decrypted copy if necessary.

Signing a Certificate

If you are not going to have your keys signed by a Certificate Authority then you can sign the key yourself.

1. Sign the Certificate
Code: Select all
openssl ca -config stunnel.cnf -days 365 -keyfile /mnt/cdrom/DPSIkey.pem -cert /mnt/cdrom/DPSIcert.pem -in certreq.req -out test.crt

2. The passphrase requested is for the key to be used for signing.

Decrypting a Server Key

Some applications need the server key to be in clear text. The private key can be decrypted with
Code: Select all
openssl rsa -in server.pem -out server.key

Encrypting a Server Key

If a key needs to be encrypted after decrypting
Code: Select all
openssl rsa -des3 -in plaintext.key -out encrypted.key.pem

You will be promptd for a passphrase.

Show the fields in a certificate

1. Signing Request
Code: Select all
openssl req -in cert.req -text

2. Signed Certificate
Code: Select all
openssl x509 -in cert.crt -text

3. Encrypted Private Key
Code: Select all
openssl rsa -in www.closetheloan.pem -text

4. Unencrypted Private Key
Code: Select all
openssl rsa -in www.closetheloan.key -text

Convert OpenSSL Key to IIS Key

1. Decrypt the server key
Code: Select all
openssl rsa -in server.pem -out server_.key

2. Combine the server key and the signed certificate
Code: Select all
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12

Self Signed Certificate

1. Generate a key:
Code: Select all
openssl genrsa -des3 1024 > server.pem

2. Generate the self signed certificate
Code: Select all
 openssl req -new -key server.pem -x509 -days 3650 -out server.crt

Create a Private CA

1. Change to working directory
Code: Select all
cd ~/certs

2. Create a directory structure for openssl to store some stuff in. This may require updating the configuration in /usr/share/ssl/openssl.cnf.
Code: Select all
mkdir -p DPSI-CA/certs
mkdir -p DPSI-CA/crl
mkdir -p DPSI-CA/newcerts
mkdir -p DPSI-CA/private
touch DPSI-CA/index.txt
touch DPSI-CA/private/.rand
echo 01 >DPSI-CA/serial

3. Create the self-signed key and cert
Code: Select all
openssl req -new -x509 -keyout DPSIkey.pem -out DPSIcert.pem -days 3650

4. Use a good passphrase when prompted for one.
5. Use reasonable values for the remaining questions
6. The new CA private key will be in DPSIkey.pem. The public key is in DPSIcert.pem.

If this CA is being generated for "real"' it is a good idea to copy the public and private keys to safe place and delete the originals. It might be a really good idea to burn them onto a CD that is only mounted when a certificate need to be signed.
Posts: 497
Joined: Wed Dec 15, 2010 3:21 am

Return to Server Side Actions


  • Related topics
    Last post