Skip to content

Instantly share code, notes, and snippets.

@lixit

lixit/openssl.md

Created September 16, 2019 09:12
Show Gist options
  • Save lixit/02579f36ec1a45ec94f065a0edcee0dd to your computer and use it in GitHub Desktop.
Save lixit/02579f36ec1a45ec94f065a0edcee0dd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openssl.md

SSL enhances TCP with confidentiality, data integrity, server authentication, and client authentication.

openssl command [ command_opts ] [ command_args ]

openssl list [ commands | digest-commands | cipher-commands | cipher-algorithms | digest-algorithms | public-key-algorithms]

openssl no-XXX [ arbitrary options ]

Key generation RSA Generate unencrypted private key openssl genrsa -out rsa_private.key 2048

	Generate encrypted private key
		openssl genrsa -aes128 -out rsa.key 2048
	
	Change to unencrypted private key
		openssl rsa -in rsa.key -passin pass:1111 -out rsa_private.key
		
	Change to encrypted private key
		openssl rsa -in rsa_private.key -aes128 -passout pass:1111 -out rsa.key
		
	openssl rsa -text -in rsa.key
	
	openssl rsa -in rsa.key -pubout -out rsa-public.key
	
DSA
	openssl dsaparam -genkey 2048 | openssl dsa -out dsa.key -aes128
ECDSA
	openssl ecparam -genkey -name secp256r1 | openssl ec -out ec.key -aes128

Creating Certificate Signing Requests(CSR)

			send CSR to request digital identity certificate
application -------------------------------------------------> certificate authority (CA)
			<------------------------------------------------
				public key certificate (crt)
				
public key certificate: used to prove the ownership of a public key
	public key
	identity of its owner
	digital signature of CA


openssl req -new -key rsa.key -out rsa.csr

CSR used in:
	1) sign your own certificate
	2) send it to a public CA and ask CA to sign the certificate

Check the CSR is corrected
	openssl req -text -in rsa.csr -noout

Creating CSRs from Existing Certificates openssl x509 -x509toreq -in fd.crt -out fd.csr -signkey fd.key

Sign your own certificate openssl x509 -req -days 365 -in rsa.csr -signkey rsa.key -out rsa.crt or openssl req -new -x509 -days 365 -key fd.key -out fd.crt
-subj "/C=GB/L=London/O=Feisty Duck Ltd/CN=www.feistyduck.com"

without create a CSR in a separate step
	openssl req -new -x509 -days 365 -key fd.key -out fd.crt

Creating Certificates Valid for Multiple Hostnames 1) use Subject Alternative Name(SAN) 2) use wildcards

Create a separae text file
	echo "subjectAltName = DNS:*.feistyduck.com, DNS:feistyduck.com" > fd.ext

openssl x509 -req -days 365 \
-in rsa.csr -signkey rsa.key -out multipleHostname.crt \
-extfile fd.ext

Examine Certificates openssl x509 -text -in multipleHostname.crt -noout

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment