posted 2010-11-28
OpenSSL is the open-source SSL library you use to do, well, everything on modern Unix systems. It has three million features—roughly one million of which are documented—making it difficult to figure out how to do anything useful.
I will reuse a few variables throughout:
Have a certificate on your filesystem somewhere and want to know what it contains?
user $ openssl x509 -in $CERT -noout -text
Already have an e.g. website certificate and want to renew it? This generates a renewal request from the old certificate, and avoids prompting you for all of the certificate information again. Minor downside: I can't figure out how to output to anything other than PEM format.
user $ openssl x509 -x509toreq -in $CERT -out $CSR -signkey $KEY
(I have written a script, self-signed-cert, which takes care of this whole process.)
There are really two steps involved in creating a self-signed certificate.
Create a private key.
user $ openssl genrsa -out $KEY $BITS
Generating RSA private key, 2048 bit long modulus
....................................................+++
.............................................+++
e is 65537 (0x10001)
user $ chmod 400 $KEY
Create a public key (certificate), and sign it.
user $ openssl req -new -x509 -nodes -sha256 -days $DAYS -key $KEY -out $CERT
You are about to be asked to enter information that will be incorporated into your certificate
...
(I have written a script, vhost-ssl-request, which takes care of this whole process.)
Again, there are two steps involved here.
Create the private key.
user $ openssl genrsa -out $KEY $BITS
Generating RSA private key, 2048 bit long modulus
....................................................+++
.............................................+++
e is 65537 (0x10001)
user $ chmod 400 $KEY
Create a certificate signing request (CSR) corresponding to your key.
user $ openssl req -new -key $KEY -out $CSR
You are about to be asked to enter information that will be incorporated into your certificate
...
Suppose you have an existing SSH public key, which was created without a passphrase (below, we make it the empty string):
user $ ssh-keygen -t rsa -P "" -f $KEY
Generating public/private rsa key pair.
...
To add a passphrase to it,
user $ openssl rsa -des3 -in $KEY -out $KEY
(Note that ssh-keygen -p could also do this.)