|
Size: 2834
Comment:
|
Size: 3436
Comment: Change 'blah' to '$DOMAIN' for easier copying & pasting
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| == Poor man's benchmark == Quick way to compare processing power of CPUs. {{{#!highlight sh numbers=off openssl speed sha1 }}} |
|
| Line 7: | Line 15: |
| {{{#!highlight sh openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem |
{{{#!highlight sh numbers=off # Create a key at the same time openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem # Use an existing key openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem |
| Line 11: | Line 22: |
| blah.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache | $DOMAIN.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache. |
| Line 15: | Line 26: |
| {{{#!highlight sh openssl x509 -subject -dates -fingerprint -in blah.key.pem |
{{{#!highlight sh numbers=off openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem |
| Line 21: | Line 32: |
| {{{#!highlight sh openssl genrsa -out blah.key.pem |
{{{#!highlight sh numbers=off openssl genrsa -out $DOMAIN.key.pem |
| Line 27: | Line 38: |
| {{{#!highlight sh openssl x509 -in blah.crt.pem -noout -text |
{{{#!highlight sh numbers=off # For a certificate signing request openssl req -text -noout -in $DOMAIN.csr.pem # For a generated certificate openssl x509 -in $DOMAIN.crt.pem -noout -text |
| Line 33: | Line 47: |
| {{{#!highlight sh cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem |
{{{#!highlight sh numbers=off cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem |
| Line 41: | Line 55: |
| {{{#!highlight sh openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates" |
{{{#!highlight sh numbers=off openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates" |
| Line 49: | Line 63: |
| {{{#!highlight sh openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem |
{{{#!highlight sh numbers=off openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem |
| Line 59: | Line 73: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 65: | Line 79: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 73: | Line 87: |
| {{{#!highlight sh openssl ca -revoke blah.crt.pem |
{{{#!highlight sh numbers=off openssl ca -revoke $DOMAIN.crt.pem |
| Line 79: | Line 93: |
| {{{#!highlight sh openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl |
{{{#!highlight sh numbers=off openssl ca -gencrl -out crl/$DOMAIN-CA.crl |
| Line 85: | Line 99: |
| {{{#!highlight sh openssl ca -out blah.crt.pem -in blah.req.pem |
{{{#!highlight sh numbers=off openssl ca -out blah.crt.pem -in $DOMAIN.req.pem |
| Line 93: | Line 107: |
| {{{#!highlight sh openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536 |
{{{#!highlight sh numbers=off openssl dhparam -out $DOMAIN-CA.dhp.pem 1536 |
| Line 99: | Line 113: |
| {{{#!highlight sh openssl req -new -x509 -key blah.key.pem -out blah.crt.pem |
{{{#!highlight sh numbers=off openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem |
| Line 109: | Line 123: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 115: | Line 129: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 119: | Line 133: |
| CategoryCheetSheet | CategoryCheatSheet |
End-user stuff
Poor man's benchmark
Quick way to compare processing power of CPUs.
openssl speed sha1
Create certificate request/unsigned key
# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem
$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.
Show key fingerprint
openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem
Generate key
openssl genrsa -out $DOMAIN.key.pem
Display certificate information
# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text
Creating a PEM file for servers
cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem
Used by courier-imap, etc.
Creating a PKCS12-format file
openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"
Used for creating certificates used in e-mail clients and web browsers
Signing e-mails
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem
Certificate Authority stuff
When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.
Create CA certificate
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
Export CA certificate in DER format
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
Used by web browsers.
Revoke certificate
openssl ca -revoke $DOMAIN.crt.pem
Generate Certificate Revocation List (CRL)
openssl ca -gencrl -out crl/$DOMAIN-CA.crl
Sign Certificate Request
openssl ca -out blah.crt.pem -in $DOMAIN.req.pem
blah.crt.pem acts as SSLCertificateFile for Apache
Create Diffie-Hoffman Parameters for Current CA
openssl dhparam -out $DOMAIN-CA.dhp.pem 1536
Create self-signed certificate from generated key
openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem
Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)
Command-line tricks
Simple file encryption
openssl enc -bf -A -in file_to_encrypt.txt
Simple file decryption
openssl enc -bf -d -A -in file_to_encrypt.txt
