OpenSSL - commands
Generating Private keys
Creating a private key 2048 bit password encrypted
openssl genrsa –des3 –out FILE.key 2048
Creating a private key 2048 bit no password
openssl genrsa –out FILE.key 2048
Stripping a password from private key
openssl rsa –in FILE.key –out FILE-NOPW.key
CSR requests
Method 1: Manual entry for CSR Questions
openssl req –new –key FILE.key –out FILE.csr
Method 2: specify the details in the command line
openssl req –new –key FILE.key –out FILE.csr -subj "/CN=website.hostname.com/OU=Org Unit 1/OU=Org Unit 2/O=Organisation/C=Country code"
Certificate self signing using existing CA
Where CAFILE.cer & CAFILE.key are the CA cert & private
keyopenssl x509 -req -in FILE.csr -CA CAFILE.cer -CAkey CAFILE.key -CAcreateserial -out FILE.cer -days 365
Key and Certificate merger
Merge the Private-key & Signed Cert
openssl pkcs12 -export -in FILE.cer –inkey FILE.key –out FILE.pfx –name "FRIENDLYNAME"
Here the passphrase used to create the private key can be removed.
Merging key, cert an CA cert to PKCS12 chain
openssl pkcs12 -export -chain -out FILE.pfx -inkey FILE.key -in FILE.cer -CAfile CAFILE.cer
Open SSL conversions
PKCS12 to PEM
First is for the certificate export, second for the key
openssl pkcs12 -clcerts -nokeys -in FILE.pfx -out FILE.pem
openssl pkcs12 -nocerts -in FILE.pfx -out FILE.pem
PEM to PKCS12
openssl pkcs12 -export -inkey FileKey.pem -in FileCert.pem -out FILE.pfx
PEM to DER
First is for the certificate export, second for the key
openssl x509 -in FileCert.pem -out FileCert.der -outform der
openssl pkcs8 -topk8 -nocrypt -in FileKey.pem -out FileKey.der -outform der
| OpenSSL Links | |
|---|---|
| Frequently used SSL commands | also covers keytool |
| OpenSSL Command-Line HOWTO | Massive FAQ on OpenSSL |
| Common OpenSSL commands | The Most Common OpenSSL Commands |