docs:tips_n_tricks:openssl.html
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
docs:tips_n_tricks:openssl.html [07.11.2010 14:09 CET] – created peter | docs:tips_n_tricks:openssl.html [18.10.2022 12:30 CEST] (current) – [Subject in config file] peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== OpenSSL ===== | + | ====== OpenSSL ====== |
- | ===== Convert CA Certifiates | + | |
+ | ===== Generate RSA key and simple certificate request ===== | ||
+ | |||
+ | openssl genpkey | ||
+ | -algorithm RSA \ | ||
+ | -pkeyopt rsa_keygen_bits: | ||
+ | -out www.usr-local.org.key | ||
+ | && openssl req \ | ||
+ | | ||
+ | -key www.usr-local.org.key | ||
+ | | ||
+ | -subj "/ | ||
+ | -out www.usr-local.org.csr | ||
+ | |||
+ | ===== Generate certificate request with Subject Alternate Names ===== | ||
+ | |||
+ | See [[https:// | ||
+ | |||
+ | The following approaches did work for me: | ||
+ | |||
+ | ==== Subject in config file ==== | ||
+ | |||
+ | openssl genpkey | ||
+ | -algorithm RSA \ | ||
+ | -pkeyopt rsa_keygen_bits: | ||
+ | -out usr-local.org.key | ||
+ | && openssl req \ | ||
+ | -config usr-local.org.conf | ||
+ | -new \ | ||
+ | -outform PEM \ | ||
+ | -key usr-local.org.key | ||
+ | -out usr-local.org.csr | ||
+ | |||
+ | the config file '' | ||
+ | |||
+ | <code text> | ||
+ | [ req ] | ||
+ | |||
+ | distinguished_name = dn | ||
+ | req_extensions | ||
+ | utf8 = yes | ||
+ | prompt = no | ||
+ | # # required on legacy systems | ||
+ | # default_md = sha256 | ||
+ | |||
+ | [req_cert_extensions] | ||
+ | |||
+ | subjectAltName=@subject_alt_name | ||
+ | |||
+ | [ subject_alt_name ] | ||
+ | |||
+ | DNS.1=usr-local.org | ||
+ | DNS.2=www.usr-local.org | ||
+ | DNS.3=ssl.usr-local.org | ||
+ | DNS.4=smtp.usr-local.org | ||
+ | |||
+ | [ dn ] | ||
+ | C=DE | ||
+ | ST=Berlin | ||
+ | O=IN Berlin | ||
+ | 1.DC=org | ||
+ | 2.DC=usr-local | ||
+ | OU=\/ | ||
+ | CN=usr-local.org | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Subject in command line ==== | ||
+ | |||
+ | openssl genpkey | ||
+ | -algorithm RSA \ | ||
+ | -pkeyopt rsa_keygen_bits: | ||
+ | -out usr-local.org.key | ||
+ | && openssl req \ | ||
+ | -config usr-local.org.conf | ||
+ | -subj "/ | ||
+ | -new \ | ||
+ | -outform PEM \ | ||
+ | -out usr-local.org.csr | ||
+ | |||
+ | with config file: | ||
+ | |||
+ | <code text> | ||
+ | [ req ] | ||
+ | |||
+ | distinguished_name = dn | ||
+ | req_extensions | ||
+ | utf8 = yes | ||
+ | |||
+ | # This sets a mask for permitted string types. There are several options. | ||
+ | # utf8only: only UTF8Strings (PKIX recommendation after 2004). | ||
+ | string_mask = utf8only | ||
+ | |||
+ | [ req_cert_extensions ] | ||
+ | |||
+ | subjectAltName= DNS: | ||
+ | |||
+ | [ dn ] | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Generic script ==== | ||
+ | |||
+ | A generic script would be: | ||
+ | |||
+ | <code bash create_csr.sh> | ||
+ | #! /bin/bash | ||
+ | |||
+ | set -o errexit | ||
+ | |||
+ | name=" | ||
+ | |||
+ | subject="/ | ||
+ | |||
+ | for dir in / | ||
+ | do | ||
+ | keyfile=" | ||
+ | [ -f " | ||
+ | done | ||
+ | |||
+ | echo "Found keyfile ' | ||
+ | |||
+ | openssl req -new -key " | ||
+ | -subj " | ||
+ | -config <(cat / | ||
+ | -out " | ||
+ | </ | ||
+ | ==== ==== | ||
+ | |||
+ | __References__: | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * http:// | ||
+ | |||
+ | |||
+ | ===== Convert CA certifiates | ||
openssl x509 -inform DER -outform PEM -in / | openssl x509 -inform DER -outform PEM -in / | ||
+ | |||
+ | ===== Extract certificat from combinded PEM file ===== | ||
+ | |||
+ | ( fgrep -m 1 CERTIFICATE ; cat ) < my.pem > my-crt.pem | ||
+ | |||
+ | ===== Remove passphrase from RSA key ===== | ||
+ | |||
+ | This will create a key file '' | ||
+ | |||
+ | openssl rsa -in my-key.pem -out my-key-no-pass.pem | ||
+ | |||
+ | In case your file is a combined key/ | ||
+ | |||
+ | openssl rsa -in my.pem -out my-no-pass.pem | ||
+ | (echo ; fgrep -m 1 CERTIFICATE ; cat ) < my.pem >> my-no-pass.pem | ||
+ | |||
+ | ===== Import CA certificates ===== | ||
+ | This works on a Debian Etch sytem | ||
+ | |||
+ | cp / | ||
+ | c_rehash | ||
+ | |||
+ | ===== View Certificate ===== | ||
+ | |||
+ | ==== PEM format ==== | ||
+ | |||
+ | openssl x509 -text -noout -in cert.pem | ||
+ | |||
+ | ==== DER format ==== | ||
+ | |||
+ | openssl x509 -text -noout -inform der -in cert.crt | ||
+ | |||
+ | ===== Convert Formats ===== | ||
+ | |||
+ | ==== PEM to pkcs12 ==== | ||
+ | |||
+ | openssl pkcs12 -export -in cert.pem -inkey key.pem -out result.p12 | ||
+ | |||
+ | ==== pkcs12 to PEM ==== | ||
+ | |||
+ | openssl pkcs12 -in input.p12 -out output.pem | ||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * '' | ||
+ | |||
+ | {{tag> | ||
+ | {{entry> | ||
+ | {{entry> |
docs/tips_n_tricks/openssl.html.1289135357.txt.gz · Last modified: 07.11.2010 14:09 CET by peter