Differences between revisions 1 and 2
Revision 1 as of 2009-06-27 20:07:38
Size: 2834
Editor: SamatJain
Comment:
Revision 2 as of 2009-06-27 20:22:46
Size: 2834
Editor: SamatJain
Comment:
Deletions are marked like this. Additions are marked like this.
Line 119: Line 119:
CategoryCheetSheet CategoryCheatSheet

Contents

  1. End-user stuff
    1. Create certificate request/unsigned key
    2. Show key fingerprint
    3. Generate key
    4. Display certificate information
    5. Creating a PEM file for servers
    6. Creating a PKCS12-format file
    7. Signing e-mails
  2. Certificate Authority stuff
    1. Create CA certificate
    2. Export CA certificate in DER format
    3. Revoke certificate
    4. Generate Certificate Revocation List (CRL)
    5. Sign Certificate Request
    6. Create Diffie-Hoffman Parameters for Current CA
    7. Create self-signed certificate from generated key
  3. Command-line tricks
    1. Simple file encryption
    2. Simple file decryption

End-user stuff

Create certificate request/unsigned key

   1 openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem

blah.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache

Show key fingerprint

   1 openssl x509 -subject -dates -fingerprint -in blah.key.pem

Generate key

   1 openssl genrsa -out blah.key.pem

Display certificate information

   1 openssl x509 -in blah.crt.pem -noout -text

Creating a PEM file for servers

   1 cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem

Used by courier-imap, etc.

Creating a PKCS12-format file

   1 openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates"

Used for creating certificates used in e-mail clients and web browsers

Signing e-mails

   1 openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem

Certificate Authority stuff

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA certificate

   1 openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650

Export CA certificate in DER format

   1 openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt

Used by web browsers.

Revoke certificate

   1 openssl ca -revoke blah.crt.pem

Generate Certificate Revocation List (CRL)

   1 openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl

Sign Certificate Request

   1 openssl ca -out blah.crt.pem -in blah.req.pem

blah.crt.pem acts as SSLCertificateFile for Apache

Create Diffie-Hoffman Parameters for Current CA

   1 openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536

Create self-signed certificate from generated key

   1 openssl req -new -x509 -key blah.key.pem -out blah.crt.pem

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line tricks

Simple file encryption

   1 openssl enc -bf -A -in file_to_encrypt.txt

Simple file decryption

   1 openssl enc -bf -d -A -in file_to_encrypt.txt

CategoryCheatSheet

SamatsWiki: CheatSheet/OpenSSL (last edited 2020-05-04 22:20:10 by SamatJain)