Unloads

OpenSSL Reference Sheet

By

jasoryeh

in

Posted

Tags:

Updated

I’ve been exploring OpenSSL and other encryption stuff and making a Certificate Authority etc. etc.
Here’s some helpful commands that I’ve been referencing and some options that I thought would be useful.

This reference sheet will be using RSA and SHA algorithms and doesn’t cover elliptic curve or other methods. We will also be choosing a length of 4096 just to be a little cooler (yes a little cooler, some people use 2048).

Basic, single common name certificates (single domain)

Private Key Generation

openssl genrsa -aes256 -out $CA/OR/OTHER_PK_FILE_NAME.key 4096

  • Optionally include a password to protect the private key (disable password by removing -aes256)
  • Won’t prompt for any identifying information, other information is when you generate the CA certificates
  • Run once to create a private key for the CA, and on another machine for a private key when generating a signing request (so you’ll end up with one where your CA stuff will reside, and some wherever you need a certificate)

Create a Certification Authority (CA) Certificate

openssl req -x509 -new -key $CA_PK_FILE_NAME.key -sha256 -days 3650 -out $CA_CERT_FILE_NAME.crt

  • Use the private key generated earlier to make a CA certificate.
  • Important: -x509 option will make the CA certificate signed, the below command doesn’t sign it and is just a request (meaning this generates a new request that is already signed with x509)

Create a Signing Request

openssl req -new -key $OTHER_PK_FILE_NAME.key -out $SIGNING_REQUEST_FILE_NAME.csr

  • Send this to somewhere where you have the CA certificate and the private key for it to sign it.

Signing a Signing Request

openssl x509 -req -in requests/$SIGNING_REQUEST_FILE_NAME.csr -CA ca/$CA_CERT_FILE_NAME.crt -CAkey privatekey/$CA_PK_FILE_NAME.key -CAcreateserial -out $SIGNED_CERTIFICATE_FILE_NAME.pem -days 3650 -sha256

  • Anything more than this requires setting up an OpenSSL config file.

Reference for this Section

SAN (Subject Alternative Names) aka Multiple-Domain Certificates

Preparation- without copying the entire OpenSSL.cnf

Create a file, for example with name san.cnf

[ SAN ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = a.yourdomain.com
DNS.2 = *.a.yourdomain.com
DNS.3 = service.yourdomain.com
  • Modify DNS.# to add or remove entries for additional domains
  • I also believe IP.# also is possible

Generate a CSR with SANs

openssl req -new -nodes -sha256 -extensions v3_req -reqexts SAN -key private.key -out request.csr -config <(cat /etc/ssl/openssl.cnf <(cat san.conf)) -days 36500

  • This essentially uses the default config and appends SAN information

Sign a CSR with SANs (multiple domains)

openssl x509 -req -in request.csr -CA ca.crt -CAkey private.key -CAcreateserial -out signed.pem -days 3650 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(cat san.conf)) -extensions SAN

  • Inspect the certificate and requests with the relevant commands listed below.

Reference for this Section

  • https://stackoverflow.com/a/33374806

Inspecting CSRs and Certificates

Inspecting CSRs and certificates are nearly identical processes it looks like :0

CSR/Request Inspection

openssl req -noout -text -in request.csr

Signed Certificate Inspection

openssl x509 -noout -text -in signed.crt

Post Views: 52

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *