Mercurial Mercurial > tips / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tls.rst
changeset 2526 8f83c9cd3059
parent 2492 bd3d45148652
equal deleted inserted replaced
2525:cb9c3e5c2884 2526:8f83c9cd3059 
    17   openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
 
    17   openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
 
    18 
    18 
    19 Select DSA curve::
 
    19 Select DSA curve::
 
    20 
    20 
    21   openssl ecparam -list_curves
 
    21   openssl ecparam -list_curves
 
       
    22 
       
    23 Show key details::
 
       
    24 
       
    25   openssl rsa -text -noout -in my.key
 
       
    26 
       
    27 Generate public key::
 
       
    28 
       
    29   openssl rsa -pubout -in my.key -out my.pem
 
       
    30 
       
    31 Create CSR
 
       
    32 ==========
 
       
    33 
       
    34 Generate CSR with a private key::
 
       
    35 
       
    36   openssl req -new -newkey rsa:2048 -nodes
 
       
    37     -keyout my.key -out my.csr \
 
       
    38     -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
 
       
    39 
       
    40 Generate CSR from a private key::
 
       
    41 
       
    42   openssl req -new -nodes -key my.key -out my.csr
 
       
    43 
       
    44   openssl req -new -nodes -key my.key -out my.csr \
 
       
    45     -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
 
       
    46 
       
    47 Recreate signing request from certificate::
 
       
    48 
       
    49   openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr
 
       
    50 
       
    51 Review CSR::
 
       
    52 
       
    53   openssl req -text -noout -in my.csr
 
       
    54 
       
    55 Verify CSR::
 
       
    56 
       
    57   openssl req -text -noout -verify -in my.csr
 
    22 
    58 
    23 Generate a self-signed certificate
 
    59 Generate a self-signed certificate
 
    24 ==================================
 
    60 ==================================
 
    25 
    61 
    26 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
 
    62 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
 
    46     -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
 
    82     -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
 
    47 
    83 
    48 Review the resulting certificate::
 
    84 Review the resulting certificate::
 
    49 
    85 
    50   openssl x509 -text -noout -in my.crt
 
    86   openssl x509 -text -noout -in my.crt
 
       
    87   keytool -printcert -file my.crt
 
    51 
    88 
    52 .. note::
 
    89 .. note::
 
    53    With ``openssl`` we can add an extra step:
 
    90    With ``openssl`` we can add an extra step:
 
    54 
    91 
    55    * generate private key (``openssl genrsa``)
 
    92    * generate private key (``openssl genrsa``)
 
    90 To export the self-signed certificate::
 
   127 To export the self-signed certificate::
 
    91 
   128 
    92   keytool -exportcert -keystore my.p12 -file my.crt \
 
   129   keytool -exportcert -keystore my.p12 -file my.crt \
 
    93     -alias master -rfc -storepass 123456
 
   130     -alias master -rfc -storepass 123456
 
    94 
   131 
    95 Review the resulting certificate::
 
       
    96 
       
    97   keytool -printcert -file my.crt
 
       
    98 
       
    99 https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
 
   132 https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
 
   100   How to create a self-signed certificate with OpenSSL.
 
   133   How to create a self-signed certificate with OpenSSL.
 
   101 
   134 
   102 Verify self-signed certificate
 
   135 Verify self-signed certificate
 
   103 ==============================
 
   136 ==============================
 
   104 
   137 
       
   138 Review certificate::
 
       
   139 
       
   140   openssl x509 -text -noout -in my.crt
 
       
   141 
   105 Use a private key and corresponding self-signed certificate to launch a server::
 
   142 Use a private key and corresponding self-signed certificate to launch a server::
 
   106 
   143 
   107   openssl s_server -accept 8000 -www -key my.key -cert my.crt
 
   144   openssl s_server -accept 8000 -www -key my.key -cert my.crt
 
   108 
   145 
   109 Clients should use self-signed certificate for verification::
 
   146 Clients should use self-signed certificate for verification::
 
   115 There is no certificate chain so the check is trivial for self-signed certificates...
 
   152 There is no certificate chain so the check is trivial for self-signed certificates...
 
   116 
   153 
   117 PKCS#12 stores
 
   154 PKCS#12 stores
 
   118 ==============
 
   155 ==============
 
   119 
   156 
   120 PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
 
   157 PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store::
 
   121 
   158 
   122   openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
 
   159   openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
 
   123 
   160 
   124 Show info about PKCS#12 store::
 
   161 Show info about PKCS#12 store::
 
   125 
   162 
   129 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
 
   166 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
 
   130 PRIVATE KEY``)::
 
   167 PRIVATE KEY``)::
 
   131 
   168 
   132   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
 
   169   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
 
   133 
   170 
   134 To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
 
   171 To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or
 
   135 DSA PRIVATE KEY``)::
 
   172 ``BEGIN DSA PRIVATE KEY``)::
 
   136 
   173 
   137   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
 
   174   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
 
   138 
   175 
   139 To show private key info::
 
   176 To show private key info::
 
   140 
   177 
   143 To show certificate info::
 
   180 To show certificate info::
 
   144 
   181 
   145   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
 
   182   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
 
   146   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
 
   183   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
 
   147 
   184 
       
   185 Convert DER to PEM
 
       
   186 ==================
 
       
   187 
       
   188 Convert a private key from DER to PEM::
 
       
   189 
       
   190   openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem
 
       
   191 
       
   192 Convert a certificate from DER to PEM::
 
       
   193 
       
   194   openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt
 
       
   195 
       
   196 Convert PEM to DER
 
       
   197 ==================
 
       
   198 
       
   199 Convert a private key from PEM to DER::
 
       
   200 
       
   201   openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der
 
       
   202 
       
   203 Convert a certificate from PEM to DER::
 
       
   204 
       
   205   openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt
tips