OpenSSL Reference
Creating, Requesting, Signing Certificates
Generate CA root certificate and key in PEM format:
openssl req -new -newkey rsa:1024 -days 3650 \
-config ca.cnf -extensions v3_ca \
-subj '/C=CH/ST=ZH/L=Uster/O=Example Com/OU=Tech/CN=Example Root CA/' \
-nodes -x509 -sha1 -set_serial 0 \
-keyout ca.key -out ca.cert
cat ca.key ca.cert > ca.pem
With ca.cnf containing:
[ req ]
distinguished_name = reqdn
[ reqdn ]
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
Generate self-signed server certificate and key in PEM format:
openssl req -new -newkey rsa:1024 -days 365 \
-subj '/C=CH/ST=ZH/L=Uster/O=Example Com/OU=Tech/CN=www.example.com/' \
-nodes -x509 -sha1 -keyout www.example.com.key \
-out www.example.com.cert
cat www.example.com.cert www.example.com.key > www.example.com.pem
Create certificate signing request (CSR):
openssl genrsa -out www.example.com.key 1024
openssl req -new -sha256 \
-subj '/C=CH/ST=ZH/L=Uster/O=ExampleCom/OU=Tech/CN=www.example.com/' \
-key www.example.com.key -out www.example.com.csr
Sign CSR using CA:
openssl x509 -req -sha256 -CAcreateserial -in www.example.com.csr \
-days 365 -CA ca.cert -CAkey ca.key -out www.example.com.cert
cat www.example.com.cert www.example.com.key > www.example.com.pem
View Certificate:
openssl x509 -in www.example.com.cert -text
PKCS#12
Convert PEM to PKCS#12:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12
Convert PKCS#12 to PEM:
openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts
View PKCS#12:
openssl pkcs12 -info -nodes -in cred.p12
CRL
View CRL:
openssl crl -text -CAfile ca.cert -in crl.pem
openssl crl -text -in microsoft.crl -inform DER
References
Back to Knowledge Base.