# HG changeset patch
# User Oleksandr Gavenko <gavenkoa@gmail.com>
# Date 1652357703 -10800
# Node ID 8f83c9cd3059df77e6bb62bec8d0e8b08888b34d
# Parent  cb9c3e5c28845210395f1eab0ea6c3cd2cb45d7a
Create CSR. Convert PEM to DER.

diff -r cb9c3e5c2884 -r 8f83c9cd3059 tls.rst
--- a/tls.rst	Thu Apr 21 13:20:02 2022 +0300
+++ b/tls.rst	Thu May 12 15:15:03 2022 +0300
@@ -20,6 +20,42 @@
 
   openssl ecparam -list_curves
 
+Show key details::
+
+  openssl rsa -text -noout -in my.key
+
+Generate public key::
+
+  openssl rsa -pubout -in my.key -out my.pem
+
+Create CSR
+==========
+
+Generate CSR with a private key::
+
+  openssl req -new -newkey rsa:2048 -nodes
+    -keyout my.key -out my.csr \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
+
+Generate CSR from a private key::
+
+  openssl req -new -nodes -key my.key -out my.csr
+
+  openssl req -new -nodes -key my.key -out my.csr \
+    -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
+
+Recreate signing request from certificate::
+
+  openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr
+
+Review CSR::
+
+  openssl req -text -noout -in my.csr
+
+Verify CSR::
+
+  openssl req -text -noout -verify -in my.csr
+
 Generate a self-signed certificate
 ==================================
 
@@ -48,6 +84,7 @@
 Review the resulting certificate::
 
   openssl x509 -text -noout -in my.crt
+  keytool -printcert -file my.crt
 
 .. note::
    With ``openssl`` we can add an extra step:
@@ -92,16 +129,16 @@
   keytool -exportcert -keystore my.p12 -file my.crt \
     -alias master -rfc -storepass 123456
 
-Review the resulting certificate::
-
-  keytool -printcert -file my.crt
-
 https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
   How to create a self-signed certificate with OpenSSL.
 
 Verify self-signed certificate
 ==============================
 
+Review certificate::
+
+  openssl x509 -text -noout -in my.crt
+
 Use a private key and corresponding self-signed certificate to launch a server::
 
   openssl s_server -accept 8000 -www -key my.key -cert my.crt
@@ -117,7 +154,7 @@
 PKCS#12 stores
 ==============
 
-PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
+PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store::
 
   openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
 
@@ -131,8 +168,8 @@
 
   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
 
-To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
-DSA PRIVATE KEY``)::
+To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or
+``BEGIN DSA PRIVATE KEY``)::
 
   openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
 
@@ -145,3 +182,24 @@
   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
   openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
 
+Convert DER to PEM
+==================
+
+Convert a private key from DER to PEM::
+
+  openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem
+
+Convert a certificate from DER to PEM::
+
+  openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt
+
+Convert PEM to DER
+==================
+
+Convert a private key from PEM to DER::
+
+  openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der
+
+Convert a certificate from PEM to DER::
+
+  openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt