OpenSSL commands

  • $ openssl version -a to view the OpenSSL version installed on your system.

Generating Private Keys

Generating RSA keys

  • The openssl genrsa command generates an RSA private key.

  • $ openssl genrsa -aes256 -out thomas-pk.key 2048 generates a 2048 long asymmetric RSA public and private key pair, password protected with AES-256 encryption.

  • $ openssl rsa -text -in thomas-pk.key to view the contents of the key.

  • $ openssl rsa -in thomas-pk.key -pubout -out thomas-pk.pub to extract the public key out into the file thomas-pk.pub

Generating DSA keys

  • $ openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key -aes128 to combine the two processes for generating a DSA key, without leaving any temporary keys on disk.

Creating Certificate Signing Requests

  • The openssl req command creates and processes certificate requests in PKCS#10 format. It can also create self-signed certificates, e.g. for root CAs.

  • With this command, the private key file must be specified with the -key option because the new csr file must be encrypted with the private key before the csr file can be used.

Prompted interactive method

  • $ openssl req -new -key thomas-pk.key -out thomas-pk.csr to create a prompted certificate signing request file thomas-pk.csr.

    • -new: Generate a new certificate request, prompting the user for the relevant field values.

    • -key: Specifies the private key file.

  • $ openssl req -text -in thomas-pk.csr -noout to view the contents of the CSR request.

Using a Configuration file

The file provided below is named thomas-pk.conf

 1[req]
 2prompt              = no
 3distinguished_name  = dn
 4req_extensions      = ext
 5
 6[dn]
 7CN                  = www.thomas-pk.com
 8O                   = Big Tom Pte Ltd
 9L                   = Singapore
10C                   = SG
11emailAddress        = bigtompk-gen@yahoo.com
12
13[ext]
14subjectAltName      = DNS:www.thomas-pk.com,DNS:thomas-pk.com
  • $ openssl req -new -key thomas-pk.key -config thomas-pk.conf -out thomas-pk.csr will generate the thomas-pk.csr file using the private key thomas-pk.key and the configuration file thomas-pk.conf shown above.

  • Note that the configuration file can also be written as given below for more clarity.

 1[req]
 2prompt              = no
 3distinguished_name  = dn
 4req_extensions      = ext
 5
 6[dn]
 7commonName          = www.thomas-pk.com
 8organizationName    = Big Tom Pte Ltd
 9localityName        = Singapore
10countryName         = SG
11emailAddress        = bigtompk-gen@yahoo.com
12
13[ext]
14subjectAltName      = DNS:www.thomas-pk.com,DNS:thomas-pk.com

Self-Signing your own certificates

  • You can create your own certificates without going through a CA. This provides your web site with security that’s as secure as those protected with publicly trusted certificates.

  • You can create these certificates in the following ways:

    • Through a CSR

    • Directly from a private key.

Through a CSR

  • $ openssl x509 -req -days 365 -in thomas-pk.csr -signkey thomas-pk.key -out thomas-pk.crt

Directly from a private key

  • $ openssl req -new -x509 -days 365 -key thomas-pk.key -out thomas-pk.crt which creates a certificate with prompts for inputs.

  • OR $ openssl req -new -x509 -days 365 -key thomas-pk.key -out thomas-pk.crt -sub "/C=SG/L=Singapore/O=Big Tom Pte Ltd/CN=www.thomas-pk.com" to provide the subject information through the command line.

Specifying a SAN List

subjectAltName = DNS:www.thomas-pk.com,DNS:thomas-pk.com

A file thomas-pk.ext can be created containing the line shown above containing the SAN List of alternate hostnames in the command line as given below:

  • $ openssl x509 -req -days 365 -in thomas-pk.csr -signkey thomas-pk.key -out thomas-pk.crt -extfile thomas-pk.ext

Examining the Certificate

  • $ openssl x509 -in thomas-pk.crt -text -noout to display the contents of a certificate.