Differences between revisions 4 and 6 (spanning 2 versions)
Revision 4 as of 2011-04-13 06:45:58
Size: 3164
Editor: SamatJain
Comment: Poor man's benchmark
Revision 6 as of 2013-05-04 08:03:42
Size: 4534
Editor: SamatJain
Comment: Creating certificate signing requests w/ SubjectAltName fields
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:
openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem # Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem
Line 19: Line 22:
blah.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache $DOMAIN.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache.

== Create certificate request w/ SubjectAltName fields ==

SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.

Create a configuration file, $DOMAIN.conf:

{{{#!highlight sh
cat > $DOMAIN.conf << EOF

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = New York City
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name
commonName_default = $DOMAIN
commonName_max = 64

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = www.$DOMAIN

EOF
}}}

Then use this configuration file to create a CSR:

{{{#!highlight sh numbers=off
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf
}}}
Line 24: Line 68:
openssl x509 -subject -dates -fingerprint -in blah.key.pem openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem
Line 30: Line 74:
openssl genrsa -out blah.key.pem openssl genrsa -out $DOMAIN.key.pem
Line 36: Line 80:
openssl x509 -in blah.crt.pem -noout -text # For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text
Line 42: Line 89:
cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem
Line 50: Line 97:
openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates" openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"
Line 58: Line 105:
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem
Line 82: Line 129:
openssl ca -revoke blah.crt.pem openssl ca -revoke $DOMAIN.crt.pem
Line 88: Line 135:
openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl openssl ca -gencrl -out crl/$DOMAIN-CA.crl
Line 94: Line 141:
openssl ca -out blah.crt.pem -in blah.req.pem openssl ca -out blah.crt.pem -in $DOMAIN.req.pem
Line 102: Line 149:
openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536 openssl dhparam -out $DOMAIN-CA.dhp.pem 1536
Line 108: Line 155:
openssl req -new -x509 -key blah.key.pem -out blah.crt.pem openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem

Contents

  1. End-user stuff
    1. Poor man's benchmark
    2. Create certificate request/unsigned key
    3. Create certificate request w/ SubjectAltName fields
    4. Show key fingerprint
    5. Generate key
    6. Display certificate information
    7. Creating a PEM file for servers
    8. Creating a PKCS12-format file
    9. Signing e-mails
  2. Certificate Authority stuff
    1. Create CA certificate
    2. Export CA certificate in DER format
    3. Revoke certificate
    4. Generate Certificate Revocation List (CRL)
    5. Sign Certificate Request
    6. Create Diffie-Hoffman Parameters for Current CA
    7. Create self-signed certificate from generated key
  3. Command-line tricks
    1. Simple file encryption
    2. Simple file decryption

End-user stuff

Poor man's benchmark

Quick way to compare processing power of CPUs. 

openssl speed sha1

Create certificate request/unsigned key

# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem

$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.

Create certificate request w/ SubjectAltName fields

SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.

Create a configuration file, $DOMAIN.conf: 

   1 cat > $DOMAIN.conf << EOF
   2 
   3 [req]
   4 distinguished_name = req_distinguished_name
   5 req_extensions = req_ext
   6 
   7 [req_distinguished_name]
   8 countryName = Country Name (2 letter code)
   9 countryName_default = US
  10 stateOrProvinceName = State or Province Name (full name)
  11 stateOrProvinceName_default = New York
  12 localityName = Locality Name (eg, city)
  13 localityName_default = New York City
  14 organizationalUnitName = Organizational Unit Name (eg, section)
  15 commonName = Common Name
  16 commonName_default = $DOMAIN
  17 commonName_max = 64
  18 
  19 [req_ext]
  20 subjectAltName = @alt_names
  21 
  22 [alt_names]
  23 DNS.1   = $DOMAIN
  24 DNS.2   = www.$DOMAIN
  25 
  26 EOF

Then use this configuration file to create a CSR: 

openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf

Show key fingerprint

openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem

Generate key

openssl genrsa -out $DOMAIN.key.pem

Display certificate information

# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text

Creating a PEM file for servers

cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem

Used by courier-imap, etc.

Creating a PKCS12-format file

openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"

Used for creating certificates used in e-mail clients and web browsers

Signing e-mails

openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem

Certificate Authority stuff

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA certificate

openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650

Export CA certificate in DER format

openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt

Used by web browsers.

Revoke certificate

openssl ca -revoke $DOMAIN.crt.pem

Generate Certificate Revocation List (CRL)

openssl ca -gencrl -out crl/$DOMAIN-CA.crl

Sign Certificate Request

openssl ca -out blah.crt.pem -in $DOMAIN.req.pem

blah.crt.pem acts as SSLCertificateFile for Apache

Create Diffie-Hoffman Parameters for Current CA

openssl dhparam -out $DOMAIN-CA.dhp.pem 1536

Create self-signed certificate from generated key

openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line tricks

Simple file encryption

openssl enc -bf -A -in file_to_encrypt.txt

Simple file decryption

openssl enc -bf -d -A -in file_to_encrypt.txt

CategoryCheatSheet

SamatsWiki: CheatSheet/OpenSSL (last edited 2020-05-04 22:20:10 by SamatJain)