Create CSR. Convert PEM to DER.
--- a/tls.rst Thu Apr 21 13:20:02 2022 +0300
+++ b/tls.rst Thu May 12 15:15:03 2022 +0300
@@ -20,6 +20,42 @@
openssl ecparam -list_curves
+Show key details::
+
+ openssl rsa -text -noout -in my.key
+
+Generate public key::
+
+ openssl rsa -pubout -in my.key -out my.pem
+
+Create CSR
+==========
+
+Generate CSR with a private key::
+
+ openssl req -new -newkey rsa:2048 -nodes
+ -keyout my.key -out my.csr \
+ -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
+
+Generate CSR from a private key::
+
+ openssl req -new -nodes -key my.key -out my.csr
+
+ openssl req -new -nodes -key my.key -out my.csr \
+ -subj "/C=US/ST=California/L=Los Angeles/O=Evil/CN=me@mail.com"
+
+Recreate signing request from certificate::
+
+ openssl x509 -x509toreq -in my.crt -signkey my.key -out my.csr
+
+Review CSR::
+
+ openssl req -text -noout -in my.csr
+
+Verify CSR::
+
+ openssl req -text -noout -verify -in my.csr
+
Generate a self-signed certificate
==================================
@@ -48,6 +84,7 @@
Review the resulting certificate::
openssl x509 -text -noout -in my.crt
+ keytool -printcert -file my.crt
.. note::
With ``openssl`` we can add an extra step:
@@ -92,16 +129,16 @@
keytool -exportcert -keystore my.p12 -file my.crt \
-alias master -rfc -storepass 123456
-Review the resulting certificate::
-
- keytool -printcert -file my.crt
-
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/64733092#64733092
How to create a self-signed certificate with OpenSSL.
Verify self-signed certificate
==============================
+Review certificate::
+
+ openssl x509 -text -noout -in my.crt
+
Use a private key and corresponding self-signed certificate to launch a server::
openssl s_server -accept 8000 -www -key my.key -cert my.crt
@@ -117,7 +154,7 @@
PKCS#12 stores
==============
-PKCS#12 store keeps private keys and certificates, to combine a private key and certificates into the store::
+PKCS#12 store keeps a private keys and certificates, to combine a private key and certificates into the store::
openssl pkcs12 -export -in my.crt -inkey my.key -certfile other.crt -out my.p12 -name master
@@ -131,8 +168,8 @@
openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes
-To extract private key and convert to PKCS#1 format (has header ``BEGIN RSA PRIVATE KEY`` or ``BEGIN
-DSA PRIVATE KEY``)::
+To extract private key and convert to PKCS#1 format (PEM, has header ``BEGIN RSA PRIVATE KEY`` or
+``BEGIN DSA PRIVATE KEY``)::
openssl pkcs12 -info -nocerts -in my.p12 -passin pass:123456 -nodes | openssl rsa
@@ -145,3 +182,24 @@
openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456
openssl pkcs12 -info -nokeys -in my.p12 -passin pass:123456 | openssl x509 -text -noout
+Convert DER to PEM
+==================
+
+Convert a private key from DER to PEM::
+
+ openssl rsa -inform DER -in priv.der -outform PEM -out priv.pem
+
+Convert a certificate from DER to PEM::
+
+ openssl x509 -inform DER -in cert.der -outform PEM -out cert.crt
+
+Convert PEM to DER
+==================
+
+Convert a private key from PEM to DER::
+
+ openssl rsa -inform PEM -in priv.pem -outform DER -out priv.der
+
+Convert a certificate from PEM to DER::
+
+ openssl x509 -inform PEM -in cert.pem -outform DER -out cert.crt