==========
SSL, TLS
==========
.. contents::
:local:
Generate private keys
=====================
Generate RSA key (last argument is a key bit size)::
openssl genrsa -des3 -out my.key -passout pass:123456 2048
Generate DSA key::
openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
Select DSA curve::
openssl ecparam -list_curves
Show key details::
openssl rsa -text -noout -in my.key
Generate public key::
openssl rsa -pubout -in my.key -out my.pem
Create CSR
==========
Generate CSR with a private key::
openssl req -new -newkey rsa:2048 -nodes
-keyout my.key -out my.csr \
-subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
Generate CSR from a private key::
openssl req -new -nodes -key my.key -out my.csr
openssl req -new -nodes -key my.key -out my.csr \
-subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
Recreate signing request from certificate::
openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr
Review CSR::
openssl req -text -noout -in my.csr
Verify CSR::
openssl req -text -noout -verify -in my.csr
Generate a self-signed certificate
==================================
``openssl`` allows to generate self-signed certificate by a single command (``-newkey``
instructs to generate a private key and ``-x509`` instructs to issue a self-signed
certificate instead of a signing request)::
openssl req -x509 -newkey rsa:4096 \
-keyout my.key -passout pass:123456 -out my.crt \
-days 365 \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
-addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
-addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
You can generate a private key and construct a self-signing certificate in separate steps::
openssl genrsa -out my.key -passout pass:123456 2048
openssl req -x509 \
-key my.key -passin pass:123456 -out my.csr \
-days 3650 \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal \
-addext "subjectAltName = DNS:localhost,DNS:web.internal,email:me@mail.internal" \
-addext keyUsage=digitalSignature -addext extendedKeyUsage=serverAuth
Review the resulting certificate::
openssl x509 -text -noout -in my.crt
keytool -printcert -file my.crt
.. note::
With ``openssl`` we can add an extra step:
* generate private key (``openssl genrsa``)
* generate CSR (``openssl req -new``)
* sign CSR with private key (``openssl x509``)
The problem here is that ``openssl x509`` doesn't support ``-addext`` like option so we
need to craft a config file... Of cause with Bash syntax ``<(...)`` we can add required
extensions::
openssl genrsa -out my.key -passout pass:123456 2048
openssl req -new \
-key my.key -passin pass:123456 -out my.csr \
-subj /CN=localhost/O=home/C=US/emailAddress=me@mail.internal
openssl x509 -req \
-in my.csr -signkey my.key -passin pass:123456 -out my.crt \
-days 3650 -CAcreateserial \
-extensions v3_ca \
-extfile <( \
echo "[v3_ca]"; \
echo "extendedKeyUsage=serverAuth"; \
echo "subjectAltName=DNS:localhost,DNS:web.internal,email:me@mail.internal")
Java ``keytool`` creates PKCS#12 store::
keytool -genkeypair -keystore my.p12 -alias master \
-storetype pkcs12 -keyalg RSA -keysize 2048 -validity 3650 \
-storepass 123456 \
-dname "CN=localhost,O=home,C=US" \
-ext 'san=dns:localhost,dns:web.internal,email:me@mail.internal'
View the keystore::
keytool -list -v -keystore my.p12 -storepass 123456
To export the self-signed certificate::
keytool -exportcert -keystore my.p12 -file my.crt \
-alias master -rfc -storepass 123456
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
How to create a self-signed certificate with OpenSSL.
Verify self-signed certificate
==============================
Review certificate::
openssl x509 -text -noout -in my.crt
Use a private key and corresponding self-signed certificate to launch a server::
openssl s_server -accept 8000 -www -key my.key -cert my.crt
Clients should use self-signed certificate for verification::
echo | openssl s_client -servername localhost -connect localhost:8000 -CAfile my.crt
curl -v --cacert my.crt https://localhost:8000
There is no certificate chain so the check is trivial for self-signed certificates...
PKCS#12 stores
==============
PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store::
openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
Show info about PKCS#12 store::
openssl pkcs12 -info -in my.p12 -passin pass:123456 -nodes
keytool -list -v -keystore my.p12 -storepass 123456
To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
PRIVATE KEY``)::
openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or
``BEGIN DSA PRIVATE KEY``)::
openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
To show private key info::
openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout
To show certificate info::
openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
Convert DER to PEM
==================
Convert a private key from DER to PEM::
openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem
Convert a certificate from DER to PEM::
openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt
Convert PEM to DER
==================
Convert a private key from PEM to DER::
openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der
Convert a certificate from PEM to DER::
openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt