|
Size: 2834
Comment:
|
Size: 4534
Comment: Creating certificate signing requests w/ SubjectAltName fields
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| == Poor man's benchmark == Quick way to compare processing power of CPUs. {{{#!highlight sh numbers=off openssl speed sha1 }}} |
|
| Line 7: | Line 15: |
| {{{#!highlight sh openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem |
{{{#!highlight sh numbers=off # Create a key at the same time openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem # Use an existing key openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem |
| Line 11: | Line 22: |
| blah.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache | $DOMAIN.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache. == Create certificate request w/ SubjectAltName fields == SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line. Create a configuration file, $DOMAIN.conf: {{{#!highlight sh cat > $DOMAIN.conf << EOF [req] distinguished_name = req_distinguished_name req_extensions = req_ext [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = New York localityName = Locality Name (eg, city) localityName_default = New York City organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name commonName_default = $DOMAIN commonName_max = 64 [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = $DOMAIN DNS.2 = www.$DOMAIN EOF }}} Then use this configuration file to create a CSR: {{{#!highlight sh numbers=off openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf }}} |
| Line 15: | Line 67: |
| {{{#!highlight sh openssl x509 -subject -dates -fingerprint -in blah.key.pem |
{{{#!highlight sh numbers=off openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem |
| Line 21: | Line 73: |
| {{{#!highlight sh openssl genrsa -out blah.key.pem |
{{{#!highlight sh numbers=off openssl genrsa -out $DOMAIN.key.pem |
| Line 27: | Line 79: |
| {{{#!highlight sh openssl x509 -in blah.crt.pem -noout -text |
{{{#!highlight sh numbers=off # For a certificate signing request openssl req -text -noout -in $DOMAIN.csr.pem # For a generated certificate openssl x509 -in $DOMAIN.crt.pem -noout -text |
| Line 33: | Line 88: |
| {{{#!highlight sh cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem |
{{{#!highlight sh numbers=off cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem |
| Line 41: | Line 96: |
| {{{#!highlight sh openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates" |
{{{#!highlight sh numbers=off openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates" |
| Line 49: | Line 104: |
| {{{#!highlight sh openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem |
{{{#!highlight sh numbers=off openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem |
| Line 59: | Line 114: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 65: | Line 120: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 73: | Line 128: |
| {{{#!highlight sh openssl ca -revoke blah.crt.pem |
{{{#!highlight sh numbers=off openssl ca -revoke $DOMAIN.crt.pem |
| Line 79: | Line 134: |
| {{{#!highlight sh openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl |
{{{#!highlight sh numbers=off openssl ca -gencrl -out crl/$DOMAIN-CA.crl |
| Line 85: | Line 140: |
| {{{#!highlight sh openssl ca -out blah.crt.pem -in blah.req.pem |
{{{#!highlight sh numbers=off openssl ca -out blah.crt.pem -in $DOMAIN.req.pem |
| Line 93: | Line 148: |
| {{{#!highlight sh openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536 |
{{{#!highlight sh numbers=off openssl dhparam -out $DOMAIN-CA.dhp.pem 1536 |
| Line 99: | Line 154: |
| {{{#!highlight sh openssl req -new -x509 -key blah.key.pem -out blah.crt.pem |
{{{#!highlight sh numbers=off openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem |
| Line 109: | Line 164: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
| Line 115: | Line 170: |
| {{{#!highlight sh | {{{#!highlight sh numbers=off |
End-user stuff
Poor man's benchmark
Quick way to compare processing power of CPUs.
openssl speed sha1
Create certificate request/unsigned key
# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem
$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.
Create certificate request w/ SubjectAltName fields
SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.
Create a configuration file, $DOMAIN.conf:
1 cat > $DOMAIN.conf << EOF
2
3 [req]
4 distinguished_name = req_distinguished_name
5 req_extensions = req_ext
6
7 [req_distinguished_name]
8 countryName = Country Name (2 letter code)
9 countryName_default = US
10 stateOrProvinceName = State or Province Name (full name)
11 stateOrProvinceName_default = New York
12 localityName = Locality Name (eg, city)
13 localityName_default = New York City
14 organizationalUnitName = Organizational Unit Name (eg, section)
15 commonName = Common Name
16 commonName_default = $DOMAIN
17 commonName_max = 64
18
19 [req_ext]
20 subjectAltName = @alt_names
21
22 [alt_names]
23 DNS.1 = $DOMAIN
24 DNS.2 = www.$DOMAIN
25
26 EOF
Then use this configuration file to create a CSR:
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf
Show key fingerprint
openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem
Generate key
openssl genrsa -out $DOMAIN.key.pem
Display certificate information
# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text
Creating a PEM file for servers
cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem
Used by courier-imap, etc.
Creating a PKCS12-format file
openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"
Used for creating certificates used in e-mail clients and web browsers
Signing e-mails
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem
Certificate Authority stuff
When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.
Create CA certificate
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
Export CA certificate in DER format
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
Used by web browsers.
Revoke certificate
openssl ca -revoke $DOMAIN.crt.pem
Generate Certificate Revocation List (CRL)
openssl ca -gencrl -out crl/$DOMAIN-CA.crl
Sign Certificate Request
openssl ca -out blah.crt.pem -in $DOMAIN.req.pem
blah.crt.pem acts as SSLCertificateFile for Apache
Create Diffie-Hoffman Parameters for Current CA
openssl dhparam -out $DOMAIN-CA.dhp.pem 1536
Create self-signed certificate from generated key
openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem
Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)
Command-line tricks
Simple file encryption
openssl enc -bf -A -in file_to_encrypt.txt
Simple file decryption
openssl enc -bf -d -A -in file_to_encrypt.txt
