/usr/local.org

User Tools

Site Tools

You are here: Home » Documents » Tips 'n tricks (IT) » OpenSSL
docs:tips_n_tricks:openssl.html

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
docs:tips_n_tricks:openssl.html [08.11.2010 00:31 CET] peterdocs:tips_n_tricks:openssl.html [18.10.2022 12:30 CEST] (current) – [Subject in config file] peter
Line 1: Line 1:
 ====== OpenSSL ====== ====== OpenSSL ======
  
-===== Convert CA Certifiates =====+===== Generate RSA key and simple certificate request ===== 
 + 
 +  openssl genpkey                       \ 
 +          -algorithm RSA                \ 
 +          -pkeyopt rsa_keygen_bits:2048 \ 
 +          -out www.usr-local.org.key    \ 
 +  && openssl req                           \ 
 +             -new                          \ 
 +             -key www.usr-local.org.key    \ 
 +             -outform PEM                  \ 
 +             -subj "/C=DE/ST=Berlin/O=IN Berlin/OU=\/usr\/local/CN=www.usr-local.org"
 +             -out www.usr-local.org.csr              
 + 
 +===== Generate certificate request with Subject Alternate Names ===== 
 + 
 +See [[https://github.com/openssl/openssl/issues/3311|issue #3311 of openssl on github]] about adding SAN((Subject Alternate Name)) entries. And there are a lot of suggestions [[https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line/91556#91556|in an stackexchange answer]] that was linked from the issue. 
 + 
 +The following approaches did work for me: 
 + 
 +==== Subject in config file ==== 
 + 
 +  openssl genpkey                       \ 
 +          -algorithm RSA                \ 
 +          -pkeyopt rsa_keygen_bits:2048 \ 
 +          -out usr-local.org.key        \ 
 +  && openssl req                        \ 
 +          -config usr-local.org.conf    \ 
 +          -new                          \ 
 +          -outform PEM                  \ 
 +          -key usr-local.org.key        \ 
 +          -out usr-local.org.csr 
 + 
 +the config file ''usr-local.org.conf'' might have different (sub)formats: 
 + 
 +<code text> 
 +[ req ] 
 + 
 +distinguished_name = dn 
 +req_extensions     = req_cert_extensions 
 +utf8 = yes 
 +prompt = no 
 +# # required on legacy systems 
 +# default_md = sha256 
 + 
 +[req_cert_extensions] 
 + 
 +subjectAltName=@subject_alt_name 
 + 
 +[ subject_alt_name ] 
 + 
 +DNS.1=usr-local.org 
 +DNS.2=www.usr-local.org 
 +DNS.3=ssl.usr-local.org 
 +DNS.4=smtp.usr-local.org 
 + 
 +[ dn ] 
 +C=DE 
 +ST=Berlin 
 +O=IN Berlin 
 +1.DC=org 
 +2.DC=usr-local 
 +OU=\/usr\/local 
 +CN=usr-local.org 
 + 
 +</code> 
 + 
 +==== Subject in command line ==== 
 + 
 +  openssl genpkey                       \ 
 +          -algorithm RSA                \ 
 +          -pkeyopt rsa_keygen_bits:2048 \ 
 +          -out usr-local.org.key        \ 
 +  && openssl req                        \ 
 +          -config usr-local.org.conf    \ 
 +          -subj "/C=DE/ST=Berlin/O=IN Berlin/DC=org/DC=usr-local/OU=\/usr\/local/CN=www.usr-local.org"
 +          -new                          \ 
 +          -outform PEM                  \ 
 +          -out usr-local.org.csr 
 + 
 +with config file: 
 + 
 +<code text> 
 +[ req ] 
 +  
 +distinguished_name = dn 
 +req_extensions     = req_cert_extensions 
 +utf8 = yes 
 + 
 +# This sets a mask for permitted string types. There are several options.  
 +# utf8only: only UTF8Strings (PKIX recommendation after 2004). 
 +string_mask = utf8only 
 +  
 +[ req_cert_extensions ] 
 + 
 +subjectAltName= DNS:usr-local.org , DNS:www.usr-local.org , DNS:ssl.usr-local.org , DNS:smtp.usr-local.org 
 + 
 +[ dn ] 
 + 
 +</code> 
 + 
 +==== Generic script ==== 
 + 
 +A generic script would be: 
 + 
 +<code bash create_csr.sh> 
 +#! /bin/bash 
 + 
 +set -o errexit 
 + 
 +name="$1" 
 + 
 +subject="/C=DE/O=\/usr\/local/OU=SSL/CN=${name}"                    ;; 
 + 
 +for dir in /etc/apache2/ssl /etc/ssl/private 
 +do 
 +  keyfile="${dir}/${name}.key" 
 +  [ -f "$keyfile" ] && break 
 +done 
 + 
 +echo "Found keyfile '$keyfile'" 
 + 
 +openssl req -new -key "$keyfile" -outform PEM \ 
 +            -subj "${subject}"
 +            -config <(cat /etc/ssl/openssl.cnf "${name}.conf") \ 
 +            -out "${name}.csr" 
 +</code> 
 +====  ==== 
 + 
 +__References__: 
 + 
 +  * https://help.directadmin.com/item.php?id=256 
 +  * https://www.thomas-krenn.com/de/wiki/Openssl_Multi-Domain_CSR_erstellen 
 +  * https://github.com/openssl/openssl/issues/3311 
 +  * https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line/91556#91556 
 +  * http://openssl.6102.n7.nabble.com/cmd-line-and-subjectAltName-td47538.html#a47548 
 + 
 + 
 +===== Convert CA certifiates =====
  
   openssl x509 -inform DER -outform PEM -in /tmp/IN-Berlin-G3-root-certificate.htm  -out /tmp/IN-Berlin-G3-root-certificate.pem   openssl x509 -inform DER -outform PEM -in /tmp/IN-Berlin-G3-root-certificate.htm  -out /tmp/IN-Berlin-G3-root-certificate.pem
  
-===== Import CA Certificates =====+===== Extract certificat from combinded PEM file ===== 
 + 
 +  ( fgrep -m 1 CERTIFICATE ; cat ) < my.pem > my-crt.pem 
 + 
 +===== Remove passphrase from RSA key ===== 
 + 
 +This will create a key file ''my-key-no-pass.pem'' without passphrase from a RSA key file ''my-key.pem'' in PEM format: 
 + 
 +  openssl rsa -in my-key.pem -out my-key-no-pass.pem 
 + 
 +In case your file is a combined key/certificate file ''my.pem'', the command above will still only generate a key file. To add the certificate to the new file ''my-no-pass.pem'', you need one more line of shell code: 
 + 
 +  openssl rsa -in my.pem -out my-no-pass.pem 
 +  (echo ; fgrep -m 1 CERTIFICATE ; cat ) < my.pem >> my-no-pass.pem 
 + 
 +===== Import CA certificates =====
 This works on a Debian Etch sytem This works on a Debian Etch sytem
  
   cp /tmp/IN-Berlin-G3-root-certificate.pem /etc/ssl/certs/   cp /tmp/IN-Berlin-G3-root-certificate.pem /etc/ssl/certs/
   c_rehash   c_rehash
 +
 +===== View Certificate =====
 +
 +==== PEM format ====
 +
 +  openssl x509 -text -noout -in cert.pem
 +
 +==== DER format ====
 +
 +  openssl x509 -text -noout -inform der -in cert.crt
 +
 +===== Convert Formats =====
 +
 +==== PEM to pkcs12 ====
 +
 +  openssl pkcs12 -export -in cert.pem -inkey key.pem -out result.p12
 +
 +==== pkcs12 to PEM ====
 +
 +  openssl pkcs12 -in input.p12 -out output.pem
  
 ===== References ===== ===== References =====
  
-  * http://support.citrix.com/article/CTX106631 +  * [[http://support.citrix.com/article/CTX106631|How to Use OpenSSL to Convert Certificates Between PEM and DER]] 
-  * man fetchmail+  * [[http://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html|Removing a passphrase froman SSL key]] 
 +  * [[http://www-user.tu-chemnitz.de/~hot/SSL/|Praktische Experimente mit OpenSSL]] 
 +  * [[https://binblog.info/2007/08/15/pem-nach-p12-konvertieren/|#!/bin/blog: PEM nach P12 konvertieren]] 
 +  * ''man fetchmail''\\ ''man openssl''\\ ''man genpkey''\\ ''man req'' 
 + 
 +{{tag>ssl cert}} 
 +{{entry>ssl}} 
 +{{entry>cert}}
docs/tips_n_tricks/openssl.html.1289172676.txt.gz · Last modified: 08.11.2010 00:31 CET by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki