openssl(1)
- Private Key
Create: openssl genrsa -out 'keyfile' 1024
Output: openssl rsa -in 'keyfile' -text
- Certificate Signing Request
Create: openssl req -new -key 'keyfile' -out 'csrfile', at least the CN must be set to the full hostname
Output: openssl req -in 'csrfile' -text
- Certificate
- Create
CA key: openssl x509 -req -days 730 -CAserial 'ca-serialfile' -CA 'ca-certfile' -CAkey 'ca-keyfile' -in 'csrfile' -out 'certfile'
selfsigned: openssl x509 -req -days 730 -in 'csrfile' -signkey 'keyfile' -out 'certfile'
Output: openssl x509 -in 'certfile' -text
- Create
- Certificate Authority
Create (FreeBSD specific):
vared PATH /usr/local/bin must be before /usr/bin, FreeBSD has two openssl binaries (vared is a zsh command)
mv /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf
/usr/local/openssl/misc/CA.sh -newca
demoCA/cacert.pem is the CA's public key aka certificate, demoCA/private/cakey.pem ist the CA's private key, demoCA/serial is the serial number
- Converting
To Netscape format (e.g. IIS): openssl rsa -in 'keyfile' -out 'keyfile.net' -outform NET
To PKCS12 (combining public and private key): openssl pkcs12 -export -inkey 'keyfile' -in 'certfile' -out 'pkcs12-file.p12'
- Do a private key and a public key match?
openssl x509 -in 'certfile' -text
openssl rsa -in 'keyfile' -text
Compare the modules sections. They must match.
Glossary: key = private key, csr = certificate signing request, cert = signed certificate (public key)
Testing
Connect to an TLS protected server (e.g. a mail server):
With STARTTLS: openssl s_client -starttls smtp -connect mail.example.com
Without STARTTLS: openssl s_client -connect mail.example.com:465
Checking the validity: openssl s_client -CApath /path/to/root_certs/ ...