Conventions
* req = certificate signing request
* key = unencrypted private key
* pem = encrypted private key
* crt = signed certificate
Create a Certificate Signing request
1. Create an RSA key and a signing request
- Code: Select all
openssl req -new -days 3650 -config <config file> -out certreq.req -keyout server.pem
2. The -config is optional.
3. The PEM passphrase requested is the passphrase for encrypting server.pem. Some applications may require an unencrypted key (eg stunnel) but it is good practice to encrypt the key and create a decrypted copy if necessary.
Signing a Certificate
If you are not going to have your keys signed by a Certificate Authority then you can sign the key yourself.
1. Sign the Certificate
- Code: Select all
openssl ca -config stunnel.cnf -days 365 -keyfile /mnt/cdrom/DPSIkey.pem -cert /mnt/cdrom/DPSIcert.pem -in certreq.req -out test.crt
2. The passphrase requested is for the key to be used for signing.
Decrypting a Server Key
Some applications need the server key to be in clear text. The private key can be decrypted with
- Code: Select all
openssl rsa -in server.pem -out server.key
Encrypting a Server Key
If a key needs to be encrypted after decrypting
- Code: Select all
openssl rsa -des3 -in plaintext.key -out encrypted.key.pem
You will be promptd for a passphrase.
Show the fields in a certificate
1. Signing Request
- Code: Select all
openssl req -in cert.req -text
2. Signed Certificate
- Code: Select all
openssl x509 -in cert.crt -text
3. Encrypted Private Key
- Code: Select all
openssl rsa -in www.closetheloan.pem -text
4. Unencrypted Private Key
- Code: Select all
openssl rsa -in www.closetheloan.key -text
Convert OpenSSL Key to IIS Key
1. Decrypt the server key
- Code: Select all
openssl rsa -in server.pem -out server_.key
2. Combine the server key and the signed certificate
- Code: Select all
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
Self Signed Certificate
1. Generate a key:
- Code: Select all
openssl genrsa -des3 1024 > server.pem
2. Generate the self signed certificate
- Code: Select all
openssl req -new -key server.pem -x509 -days 3650 -out server.crt
Create a Private CA
1. Change to working directory
- Code: Select all
cd ~/certs
2. Create a directory structure for openssl to store some stuff in. This may require updating the configuration in /usr/share/ssl/openssl.cnf.
- Code: Select all
mkdir -p DPSI-CA/certs
mkdir -p DPSI-CA/crl
mkdir -p DPSI-CA/newcerts
mkdir -p DPSI-CA/private
touch DPSI-CA/index.txt
touch DPSI-CA/private/.rand
echo 01 >DPSI-CA/serial
3. Create the self-signed key and cert
- Code: Select all
openssl req -new -x509 -keyout DPSIkey.pem -out DPSIcert.pem -days 3650
4. Use a good passphrase when prompted for one.
5. Use reasonable values for the remaining questions
6. The new CA private key will be in DPSIkey.pem. The public key is in DPSIcert.pem.
If this CA is being generated for "real"' it is a good idea to copy the public and private keys to safe place and delete the originals. It might be a really good idea to burn them onto a CD that is only mounted when a certificate need to be signed.
