feliperomero3/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Generate a self-signed root certificate using OpenSSL

This repository contains a script that will generate a trusted ssl certificate which can be used for local software development.
Prerequisites


OpenSSL.
Bash (Linux only).
Git Bash (Windows only).

Getting started


Clone the project.
Open a terminal in the root directory.
Run ./generate.sh

Or, alternatively, copy and paste the next snippet.
git clone https://gist.github.com/a6282b0e7ca579fff0e296227675190d.git generate-trusted-ssl-certificate
cd generate-trusted-ssl-certificate
./generate.sh
Configuration

You can adjust openssl-custom.cnf configuration file to whatever you prefer.
Common commands

# Show the certificate
openssl x509 -in server.crt

# Show as 'human-readable' certificate content
openssl x509 -text -in server.crt

# Show as 'human-readable' certificate content (omitting the base64-printed cert at the end)
openssl x509 -text -noout -in server.crt

# Export certificate and private key pair as a pkcs#12 certificate (PFX)
openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt
More example commands in openssl-commands.txt.

  
## generate.sh
#!/bin/bash

openssl req \
    -newkey rsa \
    -x509 \
    -nodes \
    -keyout server.key \
    -new \
    -out server.crt \
    -config ./openssl-custom.cnf \
    -days 365

## openssl-commands.sh
# 23:46 09/03/2021

# Export certificate and private key pair as a pkcs#12 certificate (PFX)
openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt

# Export certificate and private key pair as a pkcs#12 certificate (PFX) including the root certificate provided by the CA
openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt -certfile CACert.cer

# Output certificate info omitting sensitive values (private keys)
openssl pkcs12 -in cert.pfx -info -noout

# Output the certificate(s) and private key(s) in the PFX
openssl pkcs12 -in cert.pfx -info -nodes

# Output the certificate omitting the private key(s) - Add '-out server.crt' to output to a file
openssl pkcs12 -in cert.pfx -info -nokeys

# Output the private key(s) omitting the certificate(s) - Add '-out server.key' to output to a file
openssl pkcs12 -in cert.pfx -info -nodes -nocerts

# Or less verbose alternative (notice the -info flag is omitted)
openssl pkcs12 -in cert.pfx -nodes -nocerts

# Export certificates and private keys to a file
# You will be prompted for the PKCS#12 file's password
openssl pkcs12 -in cert.pfx -out OUTFILE.crt -nodes

# References
# https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-pkcs12.html
# https://www.openssl.org/docs/manmaster/man1/openssl-passphrase-options.html

02:19 12/02/2022

# Show the certificate
openssl x509 -in server.crt

# Show the 'human-readable' certificate content
openssl x509 -text -in server.crt

# Show the 'human-readable' certificate content only (omitting the base64-printed cert at the end)
openssl x509 -text -noout -in server.crt

# Show the issuer, subject and dates
openssl x509 -noout -in server.crt -issuer -subject -dates

# Show the issuer, subject, dates and sha1 fingerprint (or use -sha256). Defaults to sha1 when omitted.
openssl x509 -noout -in server.crt -issuer -subject -dates -sha1 -fingerprint

# References
# https://www.golinuxcloud.com/things-to-consider-when-creating-csr-openssl
# https://www.golinuxcloud.com/openssl-create-certificate-chain-linux
# https://www.golinuxcloud.com/create-certificate-authority-root-ca-linux
#
# https://www.golinuxcloud.com/shell-script-to-generate-certificate-openssl

# 22:53 19/02/2022

# I have a SSH keypair. How do I determine the key length?
# https://serverfault.com/a/325471/488640
openssl rsa -in ~/.ssh/id_rsa -text -noout

# Alternative
ssh-keygen -l -f ~/.ssh/id_rsa.pub

# with ASCII art
ssh-keygen -l -v -f ~/.ssh/id_rsa.pub

# Other references
15:11 6/6/2022

# https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl

## openssl-custom.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = MX
ST = NL
L = MTY
O = IT
OU = IT Department
emailAddress = hostmaster@example.com
CN = localhost

[v3_req]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = localhost.local
DNS.4 = localhost.localdomain
DNS.5 = HP15-bs015la
IP.1 = 127.0.0.1
	#!/bin/bash

	openssl req \
	-newkey rsa \
	-x509 \
	-nodes \
	-keyout server.key \
	-new \
	-out server.crt \
	-config ./openssl-custom.cnf \
	-days 365
	# 23:46 09/03/2021

	# Export certificate and private key pair as a pkcs#12 certificate (PFX)
	openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt

	# Export certificate and private key pair as a pkcs#12 certificate (PFX) including the root certificate provided by the CA
	openssl pkcs12 -export -out cert.pfx -inkey server.key -in server.crt -certfile CACert.cer

	# Output certificate info omitting sensitive values (private keys)
	openssl pkcs12 -in cert.pfx -info -noout

	# Output the certificate(s) and private key(s) in the PFX
	openssl pkcs12 -in cert.pfx -info -nodes

	# Output the certificate omitting the private key(s) - Add '-out server.crt' to output to a file
	openssl pkcs12 -in cert.pfx -info -nokeys

	# Output the private key(s) omitting the certificate(s) - Add '-out server.key' to output to a file
	openssl pkcs12 -in cert.pfx -info -nodes -nocerts

	# Or less verbose alternative (notice the -info flag is omitted)
	openssl pkcs12 -in cert.pfx -nodes -nocerts

	# Export certificates and private keys to a file
	# You will be prompted for the PKCS#12 file's password
	openssl pkcs12 -in cert.pfx -out OUTFILE.crt -nodes

	# References
	# https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl
	# https://www.openssl.org/docs/manmaster/man1/openssl-pkcs12.html
	# https://www.openssl.org/docs/manmaster/man1/openssl-passphrase-options.html

	02:19 12/02/2022

	# Show the certificate
	openssl x509 -in server.crt

	# Show the 'human-readable' certificate content
	openssl x509 -text -in server.crt

	# Show the 'human-readable' certificate content only (omitting the base64-printed cert at the end)
	openssl x509 -text -noout -in server.crt

	# Show the issuer, subject and dates
	openssl x509 -noout -in server.crt -issuer -subject -dates

	# Show the issuer, subject, dates and sha1 fingerprint (or use -sha256). Defaults to sha1 when omitted.
	openssl x509 -noout -in server.crt -issuer -subject -dates -sha1 -fingerprint

	# References
	# https://www.golinuxcloud.com/things-to-consider-when-creating-csr-openssl
	# https://www.golinuxcloud.com/openssl-create-certificate-chain-linux
	# https://www.golinuxcloud.com/create-certificate-authority-root-ca-linux
	#
	# https://www.golinuxcloud.com/shell-script-to-generate-certificate-openssl

	# 22:53 19/02/2022

	# I have a SSH keypair. How do I determine the key length?
	# https://serverfault.com/a/325471/488640
	openssl rsa -in ~/.ssh/id_rsa -text -noout

	# Alternative
	ssh-keygen -l -f ~/.ssh/id_rsa.pub

	# with ASCII art
	ssh-keygen -l -v -f ~/.ssh/id_rsa.pub

	# Other references
	15:11 6/6/2022

	# https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl
	[req]
	default_bits = 2048
	prompt = no
	default_md = sha256
	x509_extensions = v3_req
	distinguished_name = dn

	[dn]
	C = MX
	ST = NL
	L = MTY
	O = IT
	OU = IT Department
	emailAddress = hostmaster@example.com
	CN = localhost

	[v3_req]
	subjectAltName = @alt_names
	keyUsage = digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth

	[alt_names]
	DNS.1 = *.localhost
	DNS.2 = localhost
	DNS.3 = localhost.local
	DNS.4 = localhost.localdomain
	DNS.5 = HP15-bs015la
	IP.1 = 127.0.0.1