changeset 2526 8f83c9cd3059
parent 2492 bd3d45148652
--- a/tls.rst	Thu Apr 21 13:20:02 2022 +0300
+++ b/tls.rst	Thu May 12 15:15:03 2022 +0300
@@ -20,6 +20,42 @@
   openssl ecparam -list_curves
+Show key details::
+  openssl rsa -text -noout -in my.key
+Generate public key::
+  openssl rsa -pubout -in my.key -out my.pem
+Create CSR
+Generate CSR with a private key::
+  openssl req -new -newkey rsa:2048 -nodes
+    -keyout my.key -out my.csr \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Evil/"
+Generate CSR from a private key::
+  openssl req -new -nodes -key my.key -out my.csr
+  openssl req -new -nodes -key my.key -out my.csr \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Evil/"
+Recreate signing request from certificate::
+  openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr
+Review CSR::
+  openssl req -text -noout -in my.csr
+Verify CSR::
+  openssl req -text -noout -verify -in my.csr
 Generate a self-signed certificate
@@ -48,6 +84,7 @@
 Review the resulting certificate::
   openssl x509 -text -noout -in my.crt
+  keytool -printcert -file my.crt
 .. note::
    With ``openssl`` we can add an extra step:
@@ -92,16 +129,16 @@
   keytool -exportcert -keystore my.p12 -file my.crt \
     -alias master -rfc -storepass 123456
-Review the resulting certificate::
-  keytool -printcert -file my.crt
   How to create a self-signed certificate with OpenSSL.
 Verify self-signed certificate
+Review certificate::
+  openssl x509 -text -noout -in my.crt
 Use a private key and corresponding self-signed certificate to launch a server::
   openssl s_server -accept 8000 -www -key my.key -cert my.crt
@@ -117,7 +154,7 @@
 PKCS#12 stores
-PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
+PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store::
   openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
@@ -131,8 +168,8 @@
   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
-To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
+To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or
   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
@@ -145,3 +182,24 @@
   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
+Convert DER to PEM
+Convert a private key from DER to PEM::
+  openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem
+Convert a certificate from DER to PEM::
+  openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt
+Convert PEM to DER
+Convert a private key from PEM to DER::
+  openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der
+Convert a certificate from PEM to DER::
+  openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt