- Abstract
- OpenSSL general commands
- Root CA
- Intermediate CA
- End-user certificates
- CRL
Created by gh-md-toc
This repository contains the common openssl commands I often use and always forget, especially when managing a CA.
Simply clone the repository and start using it.
The various subdirectories needed for the certificate and private keys (private, certs, etc.) all contains a .gitignore that will prevent their content from being tracked by git. It basically contains the following snippet
# Ignore everything in this directory
*
# Except this file
!.gitignore
Raw generation
$> openssl rand 32 # 32: numbers of bytes. Replace by any desired valueHex encoding
$> openssl rand -hex 32Base64 encoding
$> openssl rand -base64 32$> openssl genrsa \
-aes256 \ # Encrypt the private key with aes 256 cbc. Password will be prompted by OpenSSL
-out private_key.pem \ # Output key to `private_key.pem`
4096 # The length of the RSA keyGenerate with the parameters:
$> openssl ecparam \
-name prime256v1 \ # Name of the algorithm to use
-genkey \ # Generate a new key
-noout \ # Do not print the EC parameter
-out priv.pem # Name of the file where the keys will be storedThe ecparam command does not have a built-in tool to password-protect the private key.
We'll need to use the ec command:
$> openssl ec \
-in <private.key.pem> \ # The unencrypted private key
-out <private_encrypted.key.pem> \ # Encrypted private key
-aes256 # Encryption algorithm$> openssl ecparam \
-genkey \
-name secp256k1 \
| \
openssl ec \
-aes256 \
-out privatekey.pem$> openssl req \
-config openssl.cnf \ # Root CA configuration file
-key private.pem \ # Private key of the Root CA
-new \ # Generate a new request
-x509 \ # Instead of a req, output a x509 certificate
-out ca.cert.pem # File to which the certificate will be generatedYou will of course need a public/private key pair for this
$> openssl req
-config <intermediate.cnf> \ # Intermediate CA configuration file
-new \ # Generate a new CSR
-key <intermediate.key.pem> \ # Intermediate CA private key
-out <intermediate.csr.pem> # File to output the CSR toThe commands are basically going to be the same for all the end-user certificate. Just the configuration file will change and this will be put in another section
See above for the commands
$> openssl req \
-config <end-user.cnf> \ # The config file for the CSR
-key <private_key.pem> \ # The private key previously generated
-new \ # Generate a new file
-out <csr.pem> \ # output PEM file$> openssl ca \
-config <ca-config.conf> \ # The CA config file
-extensions <end-user-type.cnf> \ # The extensions to be added to the cert.
# depends on the cert type
-in <path_to_end_user_csr.pem> \ # The cleint CSR
-out <path_to_cert.pem> # The signed certificateYou only need the certificate you want to revoke. There are two ways to achieve this
- You kept the signed certificate
- OpenSSL keep signed certificates in
newcerts. They are named by their indexes in the database. Just read theindex.txtcontent to see the serial number and the DN of the certificate you want to revoke
$> openssl ca -revoke \
cert.pem # Certificate you want to revoke