PKCS#12 stores.
--- a/tls.rst Sun Nov 08 01:01:04 2020 +0200
+++ b/tls.rst Sun Nov 08 09:14:06 2020 +0200
@@ -5,6 +5,17 @@
.. contents::
:local:
+Generate private keys
+=====================
+
+Generate RSA key (last argument is a key bit size)::
+
+ openssl genrsa -des3 -out my.key -passout pass:123456 2048
+
+Generate DSA key::
+
+ openssl gendsa -out my.key -passout pass:123456 <(openssl dsaparam 512)
+
Generate a self-signed certificate
==================================
@@ -94,3 +105,30 @@
curl -v --cacert my.crt https://localhost:8000
There is no certificate chain so the check is trivial for self-signed certificates...
+
+PKCS#12 stores
+==============
+
+PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
+
+ openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
+
+To export a private key to PKCS#8 format (has header ``BEGIN PRIVATE KEY`` or ``BEGIN ENCRYPTED
+PRIVATE KEY``)::
+
+ openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
+
+To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
+DSA PRIVATE KEY``)::
+
+ openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
+
+To show private key info::
+
+ openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa -text -noout
+
+To show certificat info::
+
+ openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
+ openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
+