docs:tips_n_tricks:openssl.html
Table of Contents
OpenSSL
Generate RSA key and simple certificate request
openssl genpkey \ -algorithm RSA \ -pkeyopt rsa_keygen_bits:2048 \ -out www.usr-local.org.key \ && openssl req \ -new \ -key www.usr-local.org.key \ -outform PEM \ -subj "/C=DE/ST=Berlin/O=IN Berlin/OU=\/usr\/local/CN=www.usr-local.org" \ -out www.usr-local.org.csr
Generate certificate request with Subject Alternate Names
See issue #3311 of openssl on github about adding SAN1) entries. And there are a lot of suggestions in an stackexchange answer that was linked from the issue.
The following approaches did work for me:
Subject in config file
openssl genpkey \ -algorithm RSA \ -pkeyopt rsa_keygen_bits:2048 \ -out usr-local.org.key \ && openssl req \ -config usr-local.org.conf \ -new \ -outform PEM \ -key usr-local.org.key \ -out usr-local.org.csr
the config file usr-local.org.conf
might have different (sub)formats:
[ req ] distinguished_name = dn req_extensions = req_cert_extensions utf8 = yes prompt = no # # required on legacy systems # default_md = sha256 [req_cert_extensions] subjectAltName=@subject_alt_name [ subject_alt_name ] DNS.1=usr-local.org DNS.2=www.usr-local.org DNS.3=ssl.usr-local.org DNS.4=smtp.usr-local.org [ dn ] C=DE ST=Berlin O=IN Berlin 1.DC=org 2.DC=usr-local OU=\/usr\/local CN=usr-local.org
Subject in command line
openssl genpkey \ -algorithm RSA \ -pkeyopt rsa_keygen_bits:2048 \ -out usr-local.org.key \ && openssl req \ -config usr-local.org.conf \ -subj "/C=DE/ST=Berlin/O=IN Berlin/DC=org/DC=usr-local/OU=\/usr\/local/CN=www.usr-local.org" \ -new \ -outform PEM \ -out usr-local.org.csr
with config file:
[ req ] distinguished_name = dn req_extensions = req_cert_extensions utf8 = yes # This sets a mask for permitted string types. There are several options. # utf8only: only UTF8Strings (PKIX recommendation after 2004). string_mask = utf8only [ req_cert_extensions ] subjectAltName= DNS:usr-local.org , DNS:www.usr-local.org , DNS:ssl.usr-local.org , DNS:smtp.usr-local.org [ dn ]
Generic script
A generic script would be:
- create_csr.sh
#! /bin/bash set -o errexit name="$1" subject="/C=DE/O=\/usr\/local/OU=SSL/CN=${name}" ;; for dir in /etc/apache2/ssl /etc/ssl/private do keyfile="${dir}/${name}.key" [ -f "$keyfile" ] && break done echo "Found keyfile '$keyfile'" openssl req -new -key "$keyfile" -outform PEM \ -subj "${subject}" \ -config <(cat /etc/ssl/openssl.cnf "${name}.conf") \ -out "${name}.csr"
References:
Convert CA certifiates
openssl x509 -inform DER -outform PEM -in /tmp/IN-Berlin-G3-root-certificate.htm -out /tmp/IN-Berlin-G3-root-certificate.pem
Extract certificat from combinded PEM file
( fgrep -m 1 CERTIFICATE ; cat ) < my.pem > my-crt.pem
Remove passphrase from RSA key
This will create a key file my-key-no-pass.pem
without passphrase from a RSA key file my-key.pem
in PEM format:
openssl rsa -in my-key.pem -out my-key-no-pass.pem
In case your file is a combined key/certificate file my.pem
, the command above will still only generate a key file. To add the certificate to the new file my-no-pass.pem
, you need one more line of shell code:
openssl rsa -in my.pem -out my-no-pass.pem (echo ; fgrep -m 1 CERTIFICATE ; cat ) < my.pem >> my-no-pass.pem
Import CA certificates
This works on a Debian Etch sytem
cp /tmp/IN-Berlin-G3-root-certificate.pem /etc/ssl/certs/ c_rehash
View Certificate
PEM format
openssl x509 -text -noout -in cert.pem
DER format
openssl x509 -text -noout -inform der -in cert.crt
Convert Formats
PEM to pkcs12
openssl pkcs12 -export -in cert.pem -inkey key.pem -out result.p12
pkcs12 to PEM
openssl pkcs12 -in input.p12 -out output.pem
References
man fetchmail
man openssl
man genpkey
man req
1)
Subject Alternate Name
docs/tips_n_tricks/openssl.html.txt · Last modified: 18.10.2022 12:30 CEST by peter