OpenSSL cheatsheet

OpenSSL config

The default openssl.conf shipped with most distro's is not very suitable for a CA. Here is a minimal working config.

Not all openssl subcommands have a way to specify the config file.

Create a key: openssl genrsa -des3 -out my-ca.key 4096
Generate certificate, valid 10 years: openssl req -config openssl.cnf -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Show sha1 fingerprint: openssl x509 -in my-ca.crt -noout -fingerprint -sha1
Create a serial file for a CA certificate (will create my-ca.srl).: openssl x509 -in my-ca.crt -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -noout
Create a crl (revocation list) that is valid for 10 years (which is waaay to long). 'index.txt' should be an empty file.: openssl ca -config openssl.cnf -gencrl -keyfile my-ca.key -cert my-ca.crt -out my-ca.crl -crldays 3650

Create a key and a certificate request: openssl req -nodes -new -days 3650 -newkey rsa:4096 -keyout my-server.key -out my-server.csr
Generate the certificate with serial, valid 10 years: openssl x509 -req -in my-server.csr -out my-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -days 3650
Remove password from key: openssl rsa -in my-server.key -out my-server.key

Generate a key (remove -des3 for passwordless): openssl genrsa -des3 -out client.key 4096
Create sign request: openssl req -key client.key -new -out client.req
Create a certificate from a request: openssl x509 -req -in client.req -CA my-ca.crt -CAkey my-ca.key -CAserial my-ca.srl -out client.crt -days 1095
Convert certificate + key to pkcs12: openssl pkcs12 -export -out certificate.pkcs12 -inkey client.key -in client.crt -certfile my-ca.crt
Check a pkcs12 file: openssl pkcs12 -info -in client.pkcs12

openssl pkcs12 -export -in certs.pem -inkey certs.key -out file.p12 -name "Client Certificate"

Show private key from spkac structure (note that openssl expects 'SPKAC=' prefixed): echo "SPKAC=`cat spkac.txt`" | openssl spkac -pubkey -noout