#OpenSSL cheat sheet This is a brief howto for socket programmers.
ex: 1024bits length key pair:
$> openssl genrsa -out myprivate.pem 1024
$> openssl rsa -in myprivate.pem -pubout -out mypublic.pem
do:
$> openssl rsa -in myprivate.pem -out mynewprivate.pem
do: (triple-des)
$> openssl rsa -des3 -in pkey_plain.pem -out pkey.pem
by a single command: (self-sgined, valid to 1000 days):
$> openssl req -x509 -nodes -days 1000 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
-nodes
creates an unencrypted(plain) key.
CSR = certificate signing request
with an existing private key:
$> openssl req -new -key client_pkey.pem -out client.csr
or with a new key:
$> openssl req -new -newkey rsa:1024 -nodes -keyout client_pkey.pem -out client.csr
$> openssl x509 -x509toreq -in client_cert.pem -signkey client_pkey.pem -out client.csr
openssl x509
$> openssl x509 -req -days 365 -signkey myprivate.pem -in client.csr -out client_cert.pem
ex:
$> openssl x509 -text -in mycert.pem
some notes:
- error 18: a self-signed certificate
- error 10: certificate is expired!
ex:
$> openssl verify mycert.pem
openssl verify
$> openssl s_server -accept portNum -cert myCert.pem -key myPKey.pem
openssl s_server
- connect a server:
$> openssl s_client -showcerts -connect server:portNum
-showcert
shows the server's certificate(s).
-
to connect with a client's certificate:
$> openssl s_client -connect server:portNum -cert myCert.pem -key myPKey.pem
-
to send some data:
$> openssl s_client -connect server:portNum
then type in console of client / server. -
openssl also works as a pipe:
$> echo "some text!" | openssl s_client ...
yet another gist for TLS + node.js:
source
another quick tips:
wiki.samat.org