Frequently used openssl operations:
Generating a new private key for your host:
# openssl genrsa -out host.key -des3 2048
|
Note
|
If you want to launch your httpd automatically on system boot (you probably do), don’t enter any passphrase, otherwise your system will hang in a password prompt. To remove a passphrase from your key, use the following command: |
# openssl rsa -in server.key -out server.key_nopass
Reading an SSL cert:
# openssl x509 -in host.crt -noout -text
Generating a new certificate request:
# openssl req -new -key host.key -out certrequest.pem
Alternately, generate a new self signed certificate:
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.crt
Create a certificate for an imported request (as a CA):
echo -ne '01' > ca.serial openssl x509 -days 7300 -CA cacert.pem -CAkey ca.key -CAserial ca.serial -in imported.csr -req -out imported.cer
Create a subordinate CA (from an external request, e.g. a Windows server):
openssl x509 -req -in request.req -out subCA.pem -extfile /usr/lib/ssl/openssl.cnf -extensions v3_ca -CAserial ca.serial -CA cacert.pem -CAkey ca.key -sha1 -days 3650
Export a certificate as PKCS12
openssl pkcs12 -export -in cert.pem -inkey cert.key -out cert.p12