equal
deleted
inserted
replaced
17 openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512) |
17 openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512) |
18 |
18 |
19 Select DSA curve:: |
19 Select DSA curve:: |
20 |
20 |
21 openssl ecparam -list_curves |
21 openssl ecparam -list_curves |
|
22 |
|
23 Show key details:: |
|
24 |
|
25 openssl rsa -text -noout -in my.key |
|
26 |
|
27 Generate public key:: |
|
28 |
|
29 openssl rsa -pubout -in my.key -out my.pem |
|
30 |
|
31 Create CSR |
|
32 ========== |
|
33 |
|
34 Generate CSR with a private key:: |
|
35 |
|
36 openssl req -new -newkey rsa:2048 -nodes |
|
37 -keyout my.key -out my.csr \ |
|
38 -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com" |
|
39 |
|
40 Generate CSR from a private key:: |
|
41 |
|
42 openssl req -new -nodes -key my.key -out my.csr |
|
43 |
|
44 openssl req -new -nodes -key my.key -out my.csr \ |
|
45 -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com" |
|
46 |
|
47 Recreate signing request from certificate:: |
|
48 |
|
49 openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr |
|
50 |
|
51 Review CSR:: |
|
52 |
|
53 openssl req -text -noout -in my.csr |
|
54 |
|
55 Verify CSR:: |
|
56 |
|
57 openssl req -text -noout -verify -in my.csr |
22 |
58 |
23 Generate a self-signed certificate |
59 Generate a self-signed certificate |
24 ================================== |
60 ================================== |
25 |
61 |
26 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey`` |
62 ``openssl`` allows to generate self-signed certificate by a single command (``-newkey`` |
46 -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth |
82 -addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth |
47 |
83 |
48 Review the resulting certificate:: |
84 Review the resulting certificate:: |
49 |
85 |
50 openssl x509 -text -noout -in my.crt |
86 openssl x509 -text -noout -in my.crt |
|
87 keytool -printcert -file my.crt |
51 |
88 |
52 .. note:: |
89 .. note:: |
53 With ``openssl`` we can add an extra step: |
90 With ``openssl`` we can add an extra step: |
54 |
91 |
55 * generate private key (``openssl genrsa``) |
92 * generate private key (``openssl genrsa``) |
90 To export the self-signed certificate:: |
127 To export the self-signed certificate:: |
91 |
128 |
92 keytool -exportcert -keystore my.p12 -file my.crt \ |
129 keytool -exportcert -keystore my.p12 -file my.crt \ |
93 -alias master -rfc -storepass 123456 |
130 -alias master -rfc -storepass 123456 |
94 |
131 |
95 Review the resulting certificate:: |
|
96 |
|
97 keytool -printcert -file my.crt |
|
98 |
|
99 https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092 |
132 https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092 |
100 How to create a self-signed certificate with OpenSSL. |
133 How to create a self-signed certificate with OpenSSL. |
101 |
134 |
102 Verify self-signed certificate |
135 Verify self-signed certificate |
103 ============================== |
136 ============================== |
104 |
137 |
|
138 Review certificate:: |
|
139 |
|
140 openssl x509 -text -noout -in my.crt |
|
141 |
105 Use a private key and corresponding self-signed certificate to launch a server:: |
142 Use a private key and corresponding self-signed certificate to launch a server:: |
106 |
143 |
107 openssl s_server -accept 8000 -www -key my.key -cert my.crt |
144 openssl s_server -accept 8000 -www -key my.key -cert my.crt |
108 |
145 |
109 Clients should use self-signed certificate for verification:: |
146 Clients should use self-signed certificate for verification:: |
115 There is no certificate chain so the check is trivial for self-signed certificates... |
152 There is no certificate chain so the check is trivial for self-signed certificates... |
116 |
153 |
117 PKCS#12 stores |
154 PKCS#12 stores |
118 ============== |
155 ============== |
119 |
156 |
120 PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store:: |
157 PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store:: |
121 |
158 |
122 openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master |
159 openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master |
123 |
160 |
124 Show info about PKCS#12 store:: |
161 Show info about PKCS#12 store:: |
125 |
162 |
129 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED |
166 To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED |
130 PRIVATE KEY``):: |
167 PRIVATE KEY``):: |
131 |
168 |
132 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes |
169 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes |
133 |
170 |
134 To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN |
171 To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or |
135 DSA PRIVATE KEY``):: |
172 ``BEGIN DSA PRIVATE KEY``):: |
136 |
173 |
137 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa |
174 openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa |
138 |
175 |
139 To show private key info:: |
176 To show private key info:: |
140 |
177 |
143 To show certificate info:: |
180 To show certificate info:: |
144 |
181 |
145 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 |
182 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 |
146 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout |
183 openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout |
147 |
184 |
|
185 Convert DER to PEM |
|
186 ================== |
|
187 |
|
188 Convert a private key from DER to PEM:: |
|
189 |
|
190 openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem |
|
191 |
|
192 Convert a certificate from DER to PEM:: |
|
193 |
|
194 openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt |
|
195 |
|
196 Convert PEM to DER |
|
197 ================== |
|
198 |
|
199 Convert a private key from PEM to DER:: |
|
200 |
|
201 openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der |
|
202 |
|
203 Convert a certificate from PEM to DER:: |
|
204 |
|
205 openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt |