RSA keys and certificates with OpenSSL: Frequently used commands

http://www.codealias.info/technotes/manipulating_pki_certificates


This is a simple howto for manipulating PKI SSL certificates using Openssl.

 

RSA public/private keys for testing

 

Create a bundled public/private key pair

openssl genrsa  -des3  -out private-3des-2048.pem 2048

 

Decrypt a 3des encrypted PEM key and convert it to DER

openssl rsa -in private-3des-2048.pem -outform DER -out private-2048.der

 

PKI CA operations

 

Creating a PKI CA

  • Install openssl
  • Create a CA folder
        mkdir /CA
  • Locate the file “CA.pl” and copy it in the folder CA
  • Update the “openssl.cnf” file
  • Create a new CA
     ./CA.pl -newca

 

Creating SSL certificates

  • Create Certificate requests
     ./CA.pl -newreq
  • Sign the requests to generate SSL certificates
      ./CA.pl -sign
  • Move the newly generated certificate, key and request
       mkdir someone ; mv new*.* ./someone/

 

Create pkcs12 SSL certificates

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out certificate.p12

 

Other PKI operations

 

Importing trusted root CA SSL certificates

This is how to create OpenSSL certificate hash files and symlink the hash file to the certificate.

  • 1. Copy this script into a file under /etc/ssl/certs (e.g. certlink.sh)
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]

for CERTFILE in $*; do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  test -n "$HASH" || continue
 
 # use lowest available iterator for symlink
 for ITER in 0 1 2 3 4 5 6 7 8 9; do
   test -f "${HASH}.${ITER}" && continue
   ln -s "$CERTFILE" "${HASH}.${ITER}"
 
   test -L "${HASH}.${ITER}" && break
 done
done
  • 2. Run the script
 certlink.sh filename

Where filename is a root (.pem) CA SSL certificate

 

Extract CA certificate (in PEM) from a client certificate

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys

 

Extract (.pem) key and certificate from client .p12 certificate

 openssl pkcs12  -in example.p12 -out example-cert.pem -clcerts -nokeys
 openssl pkcs12  -in example.p12 -out example-key.pem -nocerts

 

Extract (.pem) CA certificate from p7b (Windows generated CA certificates)

 openssl pkcs7   -in certnew.p7b -out cacert.pem -inform DER -text -print_certs

 

Related articles