openssl genrsa -out ca.key 4096 openssl req -new -key ca.key -out ca.csr -config ca_openssl.cnf openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt openssl x509 -in ca.crt -outform der -out cacert.der openssl x509 -in ca.crt -outform PEM -out cacert.pem
test.cnf:
[ req ] serial = 001 expiration_days = 3650 default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=AU ST=STATE L=CITY O=xyz CN=mail.xyz.com emailAddress=postmaster@xyz.com [ cert_type ] nsCertType = server
generate cert:
openssl req -nodes -newkey rsa:4096 -config test.cnf -days 3650 -keyout test.key -out test.csr openssl x509 -req -in test.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile test.cnf -extensions cert_type -outform PEM -out test.crt -days 3650 cat test.key test.crt > test.pem openssl gendh 1024 >> test.pem
openssl req -newkey rsa:4096 -days 3000 -keyout new2.key -out new2.csr -config sign_openssl.cnf openssl ca -in new2.csr -days 3000 -notext -out new2.pem -keyfile ca.key -cert ca.crt -config sign_openssl.cnf openssl rsa -in new2.key -out new2a.key cat new2a.key new2.pem > squid.pem openssl x509 -text -noout -in squid.pem if sign_openssl.cnf had all the information configured then this would create without input: openssl req -newkey rsa:4096 -days 3000 -keyout new4.key -outform PEM -out new4.csr -config sign_openssl.cnf -nodes -batch openssl x509 -req -in new4.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform PEM -out new4.pem -days 3000 cat new4.key new4.pem > new4_squid.pem openssl req -newkey rsa:2048 -keyout wildkey.pem -keyform PEM -out wildreq.pem -outform PEM -config wild_openssl.cnf -nodes openssl ca -startdate 100921010000Z -in wildreq.pem -notext -out wildcert.pem -keyfile ca.key -cert ca.crt -config wild_openssl.cnf cat wildkey.pem wildcert.pem > wildsquid.pem -- make a der cert openssl x509 -outform der -in wildcert.pem -out wildcert.der openssl req -newkey rsa:2048 -keyout XYZkey.pem -keyform PEM -out XYZreq.pem -outform PEM -config XYZ_openssl.cnf -nodes openssl ca -startdate 100921010000Z -in XYZreq.pem -notext -out XYZcert.pem -keyfile ca.key -cert ca.crt -config XYZ_openssl.cnf openssl pkcs12 -export -clcerts -in XYZcert.pem -inkey XYZkey.pem -out XYZkey.p12 -name "P3"
openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
Make the der file for clients to install into there root certificate stores openssl x509 -in cacert.pem -outform der -out cacert.der
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout dc01.pem -out dc01.csr
file: v3.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000 -extfile v3.ext
openssl x509 -req -in request.req -CA ca.crt -CAkey ca.key -CAcreateserial -out request.cer -days 3000 Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []:
openssl req -new -newkey rsa:1024 -days 3560 -CA ca.crt -nodes -x509 -keyout dc01.pem -out dc01.pem
openssl genrsa -out cdt.pem 1024 openssl rsa -in cdt.pem -out cdt.public.der -outform DER -pubout -text vi cdt.public.der var p = "10001" <= publicExponent var d = "" <= privateExponent var m = "" <= modulus var md = 130 setMaxDigits(md); var key = new RSAKeyPair(p,d,m); //encrpyt var ciphertext = encryptedString(key, message); //decode var decrpyttext = decryptedString(key, ciphertext);
openssl req -noout -text -in mycsr.csr openssl x509 -noout -text -in mycert.crt openssl pkcs12 -clcerts -nodes -passin pass:"SomePassword" -in mycert.p12 | openssl x509 -noout -text
The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands: $ openssl x509 -noout -text -in server.crt $ openssl rsa -noout -text -in server.key The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following approach: $ openssl x509 -noout -modulus -in server.crt | openssl md5 $ openssl rsa -noout -modulus -in server.key | openssl md5 And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner: $ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\ openssl rsa -noout -modulus -in server.key | openssl md5 And with auto-magic comparison (If more than one hash is displayed, they don't match): $ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\ openssl rsa -noout -modulus -in server.key | openssl md5) | uniq BTW, if I want to check to which key or certificate a particular CSR belongs you can compute $ openssl req -noout -modulus -in server.csr | openssl md5
openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nocerts -nodes -out wildcard.somedomain.com.au.key openssl pkcs12 -in wildcard.somedomain.com.au.pfx -clcerts -nokeys -out wildcard.somedomain.com.au.cer openssl pkcs12 -in wildcard.somedomain.com.au.pfx -nodes -nokeys -cacerts -out wildcard.somedomain.com.au-ca.crt apache vhost conf: SSLEngine on SSLCertificateFile /etc/apache2/ssl/wildcard.somedomain.com.au.cer SSLCertificateChainFile /etc/apache2/ssl/wildcard.somedomain.com.au-ca.crt SSLCertificateKeyFile /etc/apache2/ssl/wildcard.somedomain.com.au.key SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK SSLHonorCipherOrder On