OpenSSL – useful commands
Just a few things I learnt playing with openssl:
Generating a root ca certificate. It’s also a self-signed certificate, so if you want just this, you can stop here:
openssl req -new -x509 -keyout <keypem> -out <certPem> -days 365 -extenstions v3_ca
Generating a key and a certificate request:
openssl req -new -nodes -keyout <keyPem> -out <csrfile>
Signing a certificate request:
openssl x509 -req -days 356 -in <csrfile> -out <certfile> -CA ca3cert.pem -CAkey ca3key.pem -set_serial <serial>
Signing a certificate:
openssl x509 -days 356 -in <csrfile> -out <certfile> -CA ca3cert.pem -CAkey ca3key.pem -set_serial <serial>
Now with keytool:
keytool -genkey -keystore <keystore> -dname <dname string --- see man>
Then we can export certificate signing request:
keytool -certreq -alias mykey -file <csrFile> -keystore <keystore>
Finally import the certificate:
keytool -import -keystore <keystore> -file <certPem>
Exporting certificates for mozilla/ie:
cat <keyPem> <certPem> > tmp
openssl pkcs12 -export -in tmp out <file.p12> -certfile <cacert.pem>
Viewing certificate:
openssl x509 -in <cert> -text | less
Testing if it works:
openssl s_client -connect localhost:8443 -cert user2cert.pem -key user2key.pem -CAfile ca3cert-1.pem
openssl s_server -connect accept:8443 -cert serverCert.pem -key serverKey.pem -CAfile ca3cert-1.pem
Just a few notes:
- tomcat uses an alias mykey for a it uses for the websites
- to import certificates in mozilla/ie you also need to include ca certificate in pkcs12 file.
- there is a scrpit CA.pl which seem to automate many tasks.
- Watch out for V3 extensions (certificate purpose, CA=TRUE/FALSE, etc.)
- Most of these options can be specified directly in opensssl.cnf configuration file.