SSL Cert Quicknotes

: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /var/www/virtual/rlogix/includes/unicode.inc on line 311.

Very brief introduction to create a CA and a CERT

To make certificate authority:

mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
vi openssl.cnf (set values)
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

To make a new certificate:

cd CA (same directory created above)
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 -config openssl.cnf

(certificate and private key in file newreq.pem)

To sign new certificate with certificate authority:

cd CA (same directory created above)
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem
rm -f tmp.pem

(newcert.pem contains signed certificate, newreq.pem still contains
unsigned certificate and private key)

Viewing the cert

openssl x509 -in file.pem -noout -text

Connecting to ssl server

openssl s_client -CAfile /etc/ssl/ca.pem -connect ldap1.example.com:636

Working with keys

To create a private key using the triple des encryption standard (recommended), use the following command:
openssl genrsa -des3 -out filename.key 1024

To create a private key without triple des encryption, use the following command:
openssl genrsa -out filename.key 1024

To add a password to an existing private key, use the following command:
openssl -in filename.key -des3 -out newfilename.key

To remove a password from an existing private key, use the following command:
openssl -in filename.key -out newfilename.key

To create a self-signed certificate:
openssl req -new -key filename.key -x509 -out filename.crt

Generating csr

After generating key, generate csr
openssl req -new -key server.key -out server.csr

‹ LDAP Notes SQL Quicknotes ›