OpenSSL commands
$ openssl version -a
to view the OpenSSL version installed on your system.
Generating Private Keys
Generating RSA keys
The
openssl genrsa
command generates an RSA private key.$ openssl genrsa -aes256 -out thomas-pk.key 2048
generates a 2048 long asymmetric RSA public and private key pair, password protected with AES-256 encryption.$ openssl rsa -text -in thomas-pk.key
to view the contents of the key.$ openssl rsa -in thomas-pk.key -pubout -out thomas-pk.pub
to extract the public key out into the file thomas-pk.pub
Generating DSA keys
$ openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key -aes128
to combine the two processes for generating a DSA key, without leaving any temporary keys on disk.
Creating Certificate Signing Requests
The
openssl req
command creates and processes certificate requests in PKCS#10 format. It can also create self-signed certificates, e.g. for root CAs.With this command, the private key file must be specified with the
-key
option because the newcsr
file must be encrypted with the private key before the csr file can be used.
Prompted interactive method
$ openssl req -new -key thomas-pk.key -out thomas-pk.csr
to create a prompted certificate signing request file thomas-pk.csr.-new
: Generate a new certificate request, prompting the user for the relevant field values.-key
: Specifies the private key file.
$ openssl req -text -in thomas-pk.csr -noout
to view the contents of the CSR request.
Using a Configuration file
The file provided below is named thomas-pk.conf
1[req]
2prompt = no
3distinguished_name = dn
4req_extensions = ext
5
6[dn]
7CN = www.thomas-pk.com
8O = Big Tom Pte Ltd
9L = Singapore
10C = SG
11emailAddress = bigtompk-gen@yahoo.com
12
13[ext]
14subjectAltName = DNS:www.thomas-pk.com,DNS:thomas-pk.com
$ openssl req -new -key thomas-pk.key
-config thomas-pk.conf -out thomas-pk.csr
will generate the thomas-pk.csr file using the private key thomas-pk.key and the configuration file thomas-pk.conf shown above.Note that the configuration file can also be written as given below for more clarity.
1[req]
2prompt = no
3distinguished_name = dn
4req_extensions = ext
5
6[dn]
7commonName = www.thomas-pk.com
8organizationName = Big Tom Pte Ltd
9localityName = Singapore
10countryName = SG
11emailAddress = bigtompk-gen@yahoo.com
12
13[ext]
14subjectAltName = DNS:www.thomas-pk.com,DNS:thomas-pk.com
Self-Signing your own certificates
You can create your own certificates without going through a CA. This provides your web site with security that’s as secure as those protected with publicly trusted certificates.
You can create these certificates in the following ways:
Through a CSR
Directly from a private key.
Through a CSR
$ openssl x509 -req -days 365 -in thomas-pk.csr -signkey thomas-pk.key -out thomas-pk.crt
Directly from a private key
$ openssl req -new -x509 -days 365 -key thomas-pk.key -out thomas-pk.crt
which creates a certificate with prompts for inputs.OR
$ openssl req -new -x509 -days 365 -key thomas-pk.key -out thomas-pk.crt
-sub "/C=SG/L=Singapore/O=Big Tom Pte Ltd/CN=www.thomas-pk.com"
to provide the subject information through the command line.
Specifying a SAN List
subjectAltName = DNS:www.thomas-pk.com,DNS:thomas-pk.com
A file thomas-pk.ext can be created containing the line shown above containing the SAN List of alternate hostnames in the command line as given below:
$ openssl x509 -req -days 365 -in thomas-pk.csr -signkey
thomas-pk.key -out thomas-pk.crt -extfile thomas-pk.ext
Examining the Certificate
$ openssl x509 -in thomas-pk.crt -text -noout
to display the contents of a certificate.