This is a simple howto for manipulating PKI SSL certificates using Openssl.

openssl genrsa  -des3  -out private-3des-2048.pem 2048

openssl rsa -in private-3des-2048.pem -outform DER -out private-2048.der

• Install openssl

• Create a CA folder

        mkdir /CA

• Locate the file “CA.pl” and copy it in the folder CA

• Update the “openssl.cnf” file

• Create a new CA

     ./CA.pl -newca

• Create Certificate requests

     ./CA.pl -newreq 

• Sign the requests to generate SSL certificates

      ./CA.pl -sign

• Move the newly generated certificate, key and request

       mkdir someone ; mv new*.* ./someone/

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out certificate.p12

This is how to create OpenSSL certificate hash files and symlink the hash file to the certificate.

• 1. Copy this script into a file under /etc/ssl/certs (e.g. certlink.sh)

#!/bin/sh
#
# usage: certlink.sh filename [filename ...]

for CERTFILE in $*; do
  # make sure file exists and is a valid cert
  test -f "$CERTFILE" || continue
  HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
  test -n "$HASH" || continue
 
 # use lowest available iterator for symlink
 for ITER in 0 1 2 3 4 5 6 7 8 9; do
   test -f "${HASH}.${ITER}" && continue
   ln -s "$CERTFILE" "${HASH}.${ITER}"
 
   test -L "${HASH}.${ITER}" && break
 done
done

• 2. Run the script

 certlink.sh filename

Where filename is a root (.pem) CA SSL certificate

 openssl pkcs12  -in example.p12  -out cacert.pem -cacerts -nokeys 

 openssl pkcs12  -in example.p12 -out example-cert.pem -clcerts -nokeys
 openssl pkcs12  -in example.p12 -out example-key.pem -nocerts

 openssl pkcs7   -in certnew.p7b -out cacert.pem -inform DER -text -print_certs

OpenSSL RSA sign and verify howto

Labels: howto, security, unix