BreadCrumbs: OpenSSL

OpenSSL

From Luke Jackson

(Difference between revisions)
Jump to: navigation, search
Revision as of 03:54, 14 July 2008 (edit)
Ljackson (Talk | contribs)

← Previous diff
Current revision (03:37, 30 August 2020) (edit)
Ljackson (Talk | contribs)
(Sources)
 
Line 1: Line 1:
== Generate Self-Signed Certificate == == Generate Self-Signed Certificate ==
- openssl genrsa -des3 -out server.key 1024+Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted)
 + 
 + openssl genrsa -des3 -out server.key 2048
 + 
 +You can see the details of this RSA private key via the command:
 + 
 + openssl rsa -noout -text -in ca.key
 + 
 +Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
openssl req -new -key server.key -out server.csr openssl req -new -key server.key -out server.csr
- cp server.key server.key.tmp+You can see the details of this CSR via the command
- openssl rsa -in server.key.tmp -out server.key+ 
 + openssl req -noout -text -in server.csr
 + 
 +You can create a decrypted PEM version (not recommended) of this private key via:
 + 
 + openssl rsa -in ca.key -out ca.key.unsecure
 + 
 +If you want to run apache without a password rename it correctly:
 + 
 + mv server.unsecure server.key
 + 
 +Generate apache mod_ssl certificate:
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
 +Verify contents of certificate:
 +
 + openssl x509 -noout -text -in server.crt
 +
 +== Example ==
 +
 + mv ssl.key/server.key ssl.key/server.key.bk
 + openssl genrsa -des3 -out ssl.key/server.key 2048
 + openssl rsa -noout -text -in ssl.key/server.key
 + openssl rsa -in ssl.key/server.key -out ssl.key/server.key.unsecure
 + mv ssl.key/server.key ssl.key/server.key.bk
 + mv ssl.key/server.key.unsecure ssl.key/server.key
 + openssl req -new -key ssl.key/server.key -out ssl.csr/server.csr
 + openssl req -noout -text -in ssl.csr/server.csr
 + openssl x509 -req -days 730 -in ssl.csr/server.csr -signkey ssl.key/server.key -out ssl.crt/server.crt
 + openssl x509 -noout -text -in ssl.crt/server.crt
== Sources == == Sources ==
* http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-generatingkey.html * http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-secureserver-generatingkey.html
 +* http://www.fedoraforum.org/forum/archive/index.php/t-107046.html
 +* http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca
 +* https://www.digicert.com/help/
 +* https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm
 +
-[Category:Linux]+[[Category:Linux]]

Current revision

Generate Self-Signed Certificate

Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted)

openssl genrsa -des3 -out server.key 2048

You can see the details of this RSA private key via the command:

openssl rsa -noout -text -in ca.key

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

openssl req -new -key server.key -out server.csr

You can see the details of this CSR via the command

openssl req -noout -text -in server.csr 

You can create a decrypted PEM version (not recommended) of this private key via:

openssl rsa -in ca.key -out ca.key.unsecure

If you want to run apache without a password rename it correctly:

mv server.unsecure server.key

Generate apache mod_ssl certificate:

openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt

Verify contents of certificate:

openssl x509 -noout -text -in server.crt

Example

mv ssl.key/server.key ssl.key/server.key.bk
openssl genrsa -des3 -out ssl.key/server.key 2048
openssl rsa -noout -text -in ssl.key/server.key
openssl rsa -in ssl.key/server.key -out ssl.key/server.key.unsecure
mv ssl.key/server.key ssl.key/server.key.bk
mv ssl.key/server.key.unsecure ssl.key/server.key
openssl req -new -key ssl.key/server.key -out ssl.csr/server.csr
openssl req -noout -text -in ssl.csr/server.csr
openssl x509 -req -days 730 -in ssl.csr/server.csr -signkey ssl.key/server.key -out ssl.crt/server.crt
openssl x509 -noout -text -in ssl.crt/server.crt

Sources

Personal tools