User Tools

Site Tools


docs:tips_n_tricks:openssl.html

OpenSSL

Generate RSA key and simple certificate request

openssl genpkey                       \
        -algorithm RSA                \
        -pkeyopt rsa_keygen_bits:2048 \
        -out www.usr-local.org.key    \
&& openssl req                           \
           -new                          \
           -key www.usr-local.org.key    \
           -outform PEM                  \
           -subj "/C=DE/ST=Berlin/O=IN Berlin/OU=\/usr\/local/CN=www.usr-local.org" \
           -out www.usr-local.org.csr             

Generate certificate request with Subject Alternate Names

See issue #3311 of openssl on github about adding SAN1) entries. And there are a lot of suggestions in an stackexchange answer that was linked from the issue.

The following approaches did work for me:

Subject in config file

openssl genpkey                       \
        -algorithm RSA                \
        -pkeyopt rsa_keygen_bits:2048 \
        -out usr-local.org.key        \
&& openssl req                        \
        -config usr-local.org.conf    \
        -new                          \
        -outform PEM                  \
        -key usr-local.org.key        \
        -out usr-local.org.csr

the config file usr-local.org.conf might have different (sub)formats:

[ req ]
 
distinguished_name = dn
req_extensions     = req_cert_extensions
utf8 = yes
prompt = no
 
[req_cert_extensions]
 
subjectAltName=@subject_alt_name
 
[ subject_alt_name ]
 
DNS.1=usr-local.org
DNS.2=www.usr-local.org
DNS.3=ssl.usr-local.org
DNS.4=smtp.usr-local.org
 
[ dn ]
C=DE
ST=Berlin
O=IN Berlin
1.DC=org
2.DC=usr-local
OU=\/usr\/local
CN=usr-local.org

Subject in command line

openssl genpkey                       \
        -algorithm RSA                \
        -pkeyopt rsa_keygen_bits:2048 \
        -out usr-local.org.key        \
&& openssl req                        \
        -config usr-local.org.conf    \
        -subj "/C=DE/ST=Berlin/O=IN Berlin/DC=org/DC=usr-local/OU=\/usr\/local/CN=www.usr-local.org" \
        -new                          \
        -outform PEM                  \
        -out usr-local.org.csr

with config file:

[ req ]
 
distinguished_name = dn
req_extensions     = req_cert_extensions
utf8 = yes
 
# This sets a mask for permitted string types. There are several options. 
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
string_mask = utf8only
 
[ req_cert_extensions ]
 
subjectAltName= DNS:usr-local.org , DNS:www.usr-local.org , DNS:ssl.usr-local.org , DNS:smtp.usr-local.org
 
[ dn ]

Generic script

A generic script would be:

create_csr.sh
#! /bin/bash
 
set -o errexit
 
name="$1"
 
subject="/C=DE/O=\/usr\/local/OU=SSL/CN=${name}"                    ;;
 
for dir in /etc/apache2/ssl /etc/ssl/private
do
  keyfile="${dir}/${name}.key"
  [ -f "$keyfile" ] && break
done
 
echo "Found keyfile '$keyfile'"
 
openssl req -new -key "$keyfile" -outform PEM \
            -subj "${subject}" \
            -config <(cat /etc/ssl/openssl.cnf "${name}.conf") \
            -out "${name}.csr"

Convert CA certifiates

openssl x509 -inform DER -outform PEM -in /tmp/IN-Berlin-G3-root-certificate.htm  -out /tmp/IN-Berlin-G3-root-certificate.pem

Extract certificat from combinded PEM file

( fgrep -m 1 CERTIFICATE ; cat ) < my.pem > my-crt.pem

Remove passphrase from RSA key

This will create a key file my-key-no-pass.pem without passphrase from a RSA key file my-key.pem in PEM format:

openssl rsa -in my-key.pem -out my-key-no-pass.pem

In case your file is a combined key/certificate file my.pem, the command above will still only generate a key file. To add the certificate to the new file my-no-pass.pem, you need one more line of shell code:

openssl rsa -in my.pem -out my-no-pass.pem
(echo ; fgrep -m 1 CERTIFICATE ; cat ) < my.pem >> my-no-pass.pem

Import CA certificates

This works on a Debian Etch sytem

cp /tmp/IN-Berlin-G3-root-certificate.pem /etc/ssl/certs/
c_rehash

View Certificate

PEM format

openssl x509 -text -noout -in cert.pem

DER format

openssl x509 -text -noout -inform der -in cert.crt

Convert Formats

PEM to pkcs12

openssl pkcs12 -export -in cert.pem -inkey key.pem -out result.p12

pkcs12 to PEM

openssl pkcs12 -in input.p12 -out output.pem

References

1)
Subject Alternate Name
docs/tips_n_tricks/openssl.html.txt · Last modified: 24.01.2019 10:36 UTC by peter