|
Size: 2834
Comment:
|
Size: 3026
Comment: Remove line numbers
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 15: | Line 15: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 21: | Line 21: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 27: | Line 27: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 33: | Line 33: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 41: | Line 41: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 49: | Line 49: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 59: | Line 59: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 65: | Line 65: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 73: | Line 73: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 79: | Line 79: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 85: | Line 85: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 93: | Line 93: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 99: | Line 99: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 109: | Line 109: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 115: | Line 115: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
End-user stuff
Create certificate request/unsigned key
openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem
blah.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache
Show key fingerprint
openssl x509 -subject -dates -fingerprint -in blah.key.pem
Generate key
openssl genrsa -out blah.key.pem
Display certificate information
openssl x509 -in blah.crt.pem -noout -text
Creating a PEM file for servers
cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem
Used by courier-imap, etc.
Creating a PKCS12-format file
openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates"
Used for creating certificates used in e-mail clients and web browsers
Signing e-mails
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem
Certificate Authority stuff
When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.
Create CA certificate
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
Export CA certificate in DER format
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
Used by web browsers.
Revoke certificate
openssl ca -revoke blah.crt.pem
Generate Certificate Revocation List (CRL)
openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl
Sign Certificate Request
openssl ca -out blah.crt.pem -in blah.req.pem
blah.crt.pem acts as SSLCertificateFile for Apache
Create Diffie-Hoffman Parameters for Current CA
openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536
Create self-signed certificate from generated key
openssl req -new -x509 -key blah.key.pem -out blah.crt.pem
Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)
Command-line tricks
Simple file encryption
openssl enc -bf -A -in file_to_encrypt.txt
Simple file decryption
openssl enc -bf -d -A -in file_to_encrypt.txt
