michael orlitzky

OpenSSL commands I would like to remember

posted 2010-11-28

Introduction

OpenSSL is the open-source SSL library you use to do, well, everything on modern Unix systems. It has three million features—roughly one million of which are documented—making it difficult to figure out how to do anything useful.

I will reuse a few variables throughout:

$KEY
The file (either input or output) containing the private key.
$CERT
The file (either input or output) containing the public certificate.
$CSR
The file to which the certificate signing request (CSR) will be written.
$BITS
The length in bits of the keys we create.
$DAYS
The length in days for which the generated certificate will be valid.

View Certificate Information

Have a certificate on your filesystem somewhere and want to know what it contains?

user $ openssl x509 -in $CERT -noout -text

Renew a Pre-existing Certificate

Already have an e.g. website certificate and want to renew it? This generates a renewal request from the old certificate, and avoids prompting you for all of the certificate information again. Minor downside: I can't figure out how to output to anything other than PEM format.

user $ openssl x509 -x509toreq -in $CERT -out $CSR -signkey $KEY

Create a Self-signed Certificate

(I have written a script, self-signed-cert, which takes care of this whole process.)

There are really two steps involved in creating a self-signed certificate.

  1. Create a private key.

    user $ openssl genrsa -out $KEY $BITS

    Generating RSA private key, 2048 bit long modulus

    ....................................................+++

    .............................................+++

    e is 65537 (0x10001)

    user $ chmod 400 $KEY

  2. Create a public key (certificate), and sign it.

    user $ openssl req -new -x509 -nodes -sha256 -days $DAYS -key $KEY -out $CERT

    You are about to be asked to enter information that will be incorporated into your certificate

    ...

Request a New Certificate for a Hostname

(I have written a script, vhost-ssl-request, which takes care of this whole process.)

Again, there are two steps involved here.

  1. Create the private key.

    user $ openssl genrsa -out $KEY $BITS

    Generating RSA private key, 2048 bit long modulus

    ....................................................+++

    .............................................+++

    e is 65537 (0x10001)

    user $ chmod 400 $KEY

  2. Create a certificate signing request (CSR) corresponding to your key.

    user $ openssl req -new -key $KEY -out $CSR

    You are about to be asked to enter information that will be incorporated into your certificate

    ...

Add a passphrase to an existing key

Suppose you have an existing SSH public key, which was created without a passphrase (below, we make it the empty string):

user $ ssh-keygen -t rsa -P "" -f $KEY

Generating public/private rsa key pair.

...

To add a passphrase to it,

user $ openssl rsa -des3 -in $KEY -out $KEY

(Note that ssh-keygen -p could also do this.)