====== RSA keys and certificates with OpenSSL: Frequently used commands ======

This is a simple howto for manipulating PKI SSL certificates using [[http://openssl.org/|Openssl]].


===== RSA public/private keys for testing =====
 

==== Create a bundled public/private key pair ====
  openssl genrsa  -des3  -out private-3des-2048.pem 2048

==== Decrypt a 3des encrypted PEM key and convert it to DER ====
  openssl rsa -in private-3des-2048.pem -outform DER -out private-2048.der


===== PKI CA operations =====
 

==== Creating a PKI CA ====

  * Install openssl

  * Create a CA folder
      
          mkdir /CA

  * Locate the file "CA.pl" and copy it in the folder CA

  * Update the "openssl.cnf" file

  * Create a new CA
 
       ./CA.pl -newca

==== Creating SSL certificates ====

  * Create Certificate requests

       ./CA.pl -newreq 

  * Sign the requests to generate SSL certificates

        ./CA.pl -sign

  * Move the newly generated certificate, key and request

         mkdir someone ; mv new*.* ./someone/



==== Create pkcs12 SSL certificates ====
  openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out certificate.p12

===== Other PKI operations =====
 

=== Importing trusted root CA SSL certificates ===

This is how to create OpenSSL certificate hash files
and symlink the hash file to the certificate.

  *1. Copy this script into a file under /etc/ssl/certs (e.g. certlink.sh)


  #!/bin/sh
  #
  # usage: certlink.sh filename [filename ...]
  
  for CERTFILE in $*; do
    # make sure file exists and is a valid cert
    test -f "$CERTFILE" || continue
    HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
    test -n "$HASH" || continue
   
   # use lowest available iterator for symlink
   for ITER in 0 1 2 3 4 5 6 7 8 9; do
     test -f "${HASH}.${ITER}" && continue
     ln -s "$CERTFILE" "${HASH}.${ITER}"
   
     test -L "${HASH}.${ITER}" && break
   done
  done

  *2. Run the script 

   certlink.sh filename

Where //filename// is a root (.pem) CA SSL certificate


=== Extract CA certificate (in PEM) from a client certificate ===
 
   openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 

=== Extract (.pem) key and certificate from client .p12 certificate ===

   openssl pkcs12  -in example.p12 -out example-cert.pem -clcerts -nokeys
   openssl pkcs12  -in example.p12 -out example-key.pem -nocerts


=== Extract (.pem) CA certificate from p7b (Windows generated CA certificates) ===

   openssl pkcs7   -in certnew.p7b -out cacert.pem -inform DER -text -print_certs



===== Related articles =====

 [[OpenSSL RSA sign and verify howto]]


{{tag>howto security unix}}