PKI SSL certificate management with OpenSSL
This is a simple howto for manipulating PKI SSL certificates using Openssl.
Creating a PKI CA
- Install openssl
- Create a CA folder
mkdir /CA
- Locate the file “CA.pl” and copy it in the folder CA
- Update the “openssl.cnf” file
- Create a new CA
./CA.pl -newca
Creating SSL certificates
- Create Certificate requests
./CA.pl -newreq
- Sign the requests to generate SSL certificates
./CA.pl -sign
- Move the newly generated certificate, key and request
mkdir someone ; mv new*.* ./someone/
Create pkcs12 SSL certificates
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out zrelli.p12
Other PKI operations
Importing trusted root CA SSL certificates
- 1. Copy this into a new executable script file under /etc/ssl/certs (e.g. certlink.sh)
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
- 2. Run the script
certlink.sh filename
Where filename is a root (.pem) CA SSL certificate
Extract (.pem) CA certificate from a client certificate
openssl pkcs12 -in example.p12 -out cacert.pem -cacerts -nokeys
Extract (.pem) key and certificate from client .p12 certificate
openssl pkcs12 -in example.p12 -out example-cert.pem -clcerts -nokeys openssl pkcs12 -in example.p12 -out example-key.pem -nocerts
Extract (.pem) CA certificate from p7b (Windows generated CA certificates)
openssl pkcs7 -in certnew.p7b -out cacert.pem -inform DER -text -print_certs
