./openssl/misc.md download original
w/ interactive passphrase key passphrase entry
openssl genrsa -aes256 -out ca-key.pem 4096pass passphrase on cmdline:
openssl genrsa -aes256 -passout pass:geheim -out ca-key.pem 4096interactive fields and passphrase (of input key file) entry
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pempass fields and passphrase on cmdline:
openssl req -new -x509 -days 365 -subj '/C=DE/ST=Berlin/L=Berlin/O=My Organization/OU=SMITH/CN=My Org Development CA/emailAddress=smith@myorg.com' -key ca-key.pem -passin pass:geheim -sha256 -out ca.pem(it computes the public key to be written into the certificate from the ca-key.pem private key)
openssl genrsa -passout pass:geheim -out server-key.pem 4096openssl req -new -subj '/CN=*.myorg.com' -key server-key.pem -passin pass:geheim -sha256 -out server.csropenssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin pass:geheim -CAcreateserial -out server-cert.pem -extfile <(echo 'subjectAltName = DNS:*.myorg.com,IP:10.10.10.20')openssl verify -CAfile ca.pem server-cert.pemWith intermediate certs:
openssl verify -CAfile <(cat rootca.pem intermediate1.pem intermediate2.pem ...) server-cert.pemopenssl x509 -in some-cert.pem -text -nooutSame for a CSR:
openssl req -text -noout -verify -in server.csropenssl rsa -in server-key.pem -out server-key-dec.pemopenssl s_client -showcerts -connect www.example.com:443 </dev/null(always gets and prints the whole chain, from leaf to root... :)
...with server name indication (SNI):
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/nullopenssl x509 -noout -fingerprint -in ca.pemsudo su # must be root for this
cp ca.pem /etc/ssl/certs/Example_CA.pem # choose expressive name. Directory depends on OpenSSL installation; this is the default for Debian & derivatives
chmod 644 /etc/ssl/certs/Example_CA.pem
cd /etc/ssl/certs/
ln -s Example_CA.pem $(openssl x509 -noout -hash -in Example_CA.pem).0© 1998-2017 Olaf Klischat olaf.klischat@gmail.com