# make SAN entries for *.amazonaws.com certificate
echo "DNS = ec2-x-x-x-x.eu-central-1.compute.amazonaws.com" >> amazonaws.com.san
# make SAN entries for localhost certificate
echo "DNS.1 = localhost" >> localhost.san
echo "IP.1 = 127.0.0.1" >> localhost.san
echo "IP.2 = 0.0.0.0" >> localhost.san
# make CA Certificate and add it to OS cert store
make ca-crt
make add-to-macos-store
# make client certs to be used by the local Dev Web Server and the Cloud Dev Web Server
make client-crt SAN_FILE="amazonaws.com.san"
make client-crt SAN_FILE="localhost.san"
The following creates a key pair that is contained within a single file:
openssl genrsa -out private.key 4096
Even though the file looks like
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAy4rZLJaLe...
-----END RSA PRIVATE KEY-----
it actually contains the key pair.
In fact, we can see the components of the private key incl. the public by using:
openssl rsa -noout -text -in private.key
which yields
RSA Private-Key: (4096 bit, 2 primes)
modulus:
00:cb:8a:d9:2c:96:8b:79
...
publicExponent: 65537 (0x10001)
privateExponent:
00:cb:8a:d9:2c:96:8b:79:65:dc:f2:d7:08:6e:d4:
e5:b0:03:e0:62:47:9a:ad:93:f2:61:90:b5:e7:34:
...
prime1:
00:e4:6f:ea:3e:71:14:52:e0:d1:7b:71:6e:59:78:
d1:84:0c:8c:81:00:66:90:e1:de:ae:cc:3b:77:cb:
...
prime2:
00:e4:19:f8:5c:a8:c3:3c:1d:c9:23:22:3e:d0:98:
41:2c:f1:3e:cb:43:98:7e:fc:b8:66:bd:21:d0:73:
...
exponent1:
00:b8:87:5f:25:89:9a:ed:48:06:70:3d:34:f2:b9:
92:25:a5:2d:6a:97:b4:42:9c:f2:91:29:11:70:b8:
...
exponent2:
69:41:da:ab:d7:6c:90:37:26:73:c1:ff:be:7e:23:
c5:3b:65:c0:a2:66:a2:62:b8:2d:20:a5:93:ed:8a:
...
coefficient:
00:96:d5:da:3a:77:b4:91:4d:ce:c1:ca:a6:2e:fc:
97:8e:da:da:47:b9:fb:45:b7:82:94:ec:50:c1:14:
...
The components of the public key can be examined using:
openssl rsa -noout -text -inform PEM -in public.key -pubin
which comprises only the modulus and the exponent.
The public key can be extracted from the Base64-encoded string using
openssl rsa -in private.key -pubout -out public.key
The discussed inputs and outputs are PEM-encoded, which esp. means that they private.key file and the public.key file are PEM-Header and PEM-Footer-sandwiched.
The public key can also be extracted from the private key using ssh-key with
ssh-keygen -y -f private.key > public.key
however this will result in the public.key file be in OpenSSH encoding. See below to convert a public.key in OpenSSH format to a public.key in PEM format.
The following however are equivalent:
openssl rsa -in private_pem.key -pubout -out public_pem.key
ssh-keygen -f public_pem.key -i -mPKCS8 > public_openssh.key
- and -
ssh-keygen -y -f private_pem.key > public_openssh.key
ssh-keygen -P "" -t rsa -b 4096 -f some_key
will create a private key named some_key
and a public key named some_key.pub
, both in OpenSSH (= PKCS8) format.
ssh-keygen -f public_openssh.key -m 'PEM' -e > public_pem.key
ssh-keygen -f public_pem.key -i -mPKCS8 > public_openssh.key
The private key is normally PEM format.