# quick & dirty openssl... keys, certificates



## graudeejs (Aug 23, 2009)

*BEFORE I START*
How to get openssl help?

```
openssl help
```
help is not valid openssl command, but that seams to be the only way to get openssl commands 

now if you need help about something more specific
try

```
openssl OPENSSL_COMMAND -help
```
or simply

```
openssl OPENSSL_COMMAND
```
[correct me if i'm wrong, and there is a better way]

or read openssl(1)


*GENERATING RSA KEY*
RSA keys can be used for signing and encrypting/decrypting

Generate password protected 4096 bit RSA private key

```
openssl genrsa -aes256 -out privkey.key 4096
```
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password

Generating password unprotected 4096 bit RSA private key

```
openssl genrsa -out privkey.key 4096
```

*GENERATING DSA KEY*
DSA keys can be used for signing only

Generate parameters from which to generate the key

```
openssl dsaparam -out dsaparam.pem 4096
```

Generate password protected DSA key using the parameters in question

```
openssl gendsa -aes256 -out privkey.key dsaparam.pem
```
you can replace -aes256, with -des, -des3, -aes128, -aes192, -camellia128, -camellia192, -camellia256
Note: each time you need to use this private key, you will be asked for password

Generate password unprotected DSA key using the parameters in question

```
openssl gendsa -out privkey.key dsaparam.pem
```

*CREATING A CERTIFICATE REQUEST*


> openssl req -new -key privkey.key -out cert.csr


Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format.  If not, use the extra argument '-outform' followed by the keyword for the format to use


*CREATING A SELF-SIGNED CERTIFICATE*

```
openssl req -new -x509 -key privkey.key -out newcert.pem -days 1095
```



			
				gilinko said:
			
		

> When asked for "YOUR name" in these dialogs you enter the full domain name(ie http://www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.




*CREATE SELF-SIGNED CERTIFICATE FROM A CERTIFICATE SIGNING REQUEST*

```
openssl req -new -x509 -in cert.csr -key privkey.key -out newcert.pem -days 1095
```



			
				gilinko said:
			
		

> When asked for "YOUR name" in these dialogs you enter the full domain name(ie http://www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.




*GET CERTIFICATE HASH*

```
openssl x509 -noout -hash -in newcert.pem
```


*CONVERTING CERTIFICATE TO/FROM PKCS #12 FORMAT*
pem to pcsk 12

```
openssl pkcs12 -export -in newcert.pem -inkey privkey.key -out newcert.p12
```
pcsk 12 to pem

```
openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts
```

*VIEW CERTIFICATE IN HUMAN READABLE MANNER*
pem format

```
openssl x509 -text -noout -in newcert.pem
```
pkcs 12 format

```
openssl pkcs12 -info -nodes -in newcert.p12
```


*ENCRYPT/DECRYPT PRIVATE KEY*
When you use encrypted private key openssl will ask password.
Encrypt

```
openssl rsa -aes256 -in unencrypted_privkey.key -out encrypted_privkey.key
```
Decrypt

```
openssl rsa -aes256 -in encrypted_privkey.key -out unencrypted_privkey.key
```


*VIEW CERTIFICATE SIGNER*

```
openssl x509 -in newcert.pem -noout -issuer -issuer_hash
```
 

*VERIFY A CERTIFICATE MATCHES A PRIVATE KEY*

```
openssl x509 -in newcert.pem -noout -modulus > cert.txt
openssl rsa -in privkey.key -noout -modulus > key.txt
diff cert.txt key.txt
rm cert.txt key.txt
```


*GENEREATE PUBLIC RSA/DSA KEY*
RSA
privkey.key must be RSA

```
openssl rsa -in privkey.key  -pubout -out pub.key
```
DSA
privkey.key must be DSA

```
openssl dsa -in privkey.key  -pubout -out pub.key
```


*REVOKE CERTIFICATE*

```
openssl -revoke newcert.pem
```


filename description used here

```
private.pem		- private key (password encrypted or not)
dsaparam.pem		- dsa parameters used to generate dsa private key
cacert.pem		- certificate used to sign other certificates (CA certificate)
newcert.pem		- you certificate
newcert.p12		- your certificate in pcsk 12 format
cert.csr		- certificate request
```


NOTES:
all above can be done using /usr/src/crypto/openssl/apps/CA.pl in simplified manner


REFERENCES:
http://www.openssl.org/docs/HOWTO/certificates.txt
http://www.openssl.org/docs/HOWTO/keys.txt
openssl(1)
http://www.freebsddiary.org/openssl-client-authentication.php
ca(1)
/usr/src/crypto/openssl/apps/CA.pl
http://www.madboa.com/geek/openssl/
http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php

SEE ALSO:
http://www.freebsddiary.org/apache13-modssl.php
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html

P.S.
For more information, please read resources provided above, they are very well written, and much more verbose
This is about all I wanted to write today.... anyone have anything to add?
Got questions? Shoot here! I'll try to answer....


EDIT:
renamed privkey.pem to privkey.key


----------



## graudeejs (Jun 2, 2011)

An important note

You should probably use RSA instead of DSA to generate server certificates.
However if you generated DSA certificate make sure you don't generate key longer than 1024 bytes, otherwise Firefox and Chrome (and everything else using NSS. will not be able to connect to your https website (Opera and Safari will work just fine).

This is bug in NSS:
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=475578

An important note 2
It looks like Opera is suffering performance issues, when connecting to HTTPS that use RSA certificate with 4096 bytes (at least in my case). It may take up to 13-30 seconds for initial connection. After that it seams to work fine, until session timeouts. This is really painful. All other browsers (Including Internet Explorer) works fine.


----------



## Alt (Jun 3, 2011)

Thanks this is very useful quickstart manual. But I'm iterested, is there a way to make self-signed ssl certificates that don't warn user about certificates, or even make a green url bar? It's possible without CA centre (self-signed)?


----------



## mix_room (Jun 3, 2011)

Alt said:
			
		

> But I'm iterested, is there a way to make self-signed ssl certificates that don't warn user about certificates, or even make a green url bar? It's possible without CA centre (self-signed)?



Yes. But you need to include the signing CA certificate in your browsers list of 'acceptable' CAs. I was only able to find a Windows How-To, but the general idea should be the same: http://support.microsoft.com/kb/295663


----------



## graudeejs (Jun 3, 2011)

Or you can use CAcert certificate for free (You still need to import CAcert root certificate), however after that, everything you expect will work including certificate revocation check


----------



## graudeejs (Jun 3, 2011)

Wanted to point out 2nd important note
http://forums.freebsd.org/showpost.php?p=136329&postcount=2


----------

