robbdimitrov/certs.md

## certs.md

      
    Raw
  

              certs.md
            
          
    Certificate cheatsheet

Naming

ca.pem - the root CA certificate

ca.pem - the CA private key

csr.pem - certificate signing request

cert.pem - client certificate

pkey.pem - client private key
Certificate fields

C - Country Name (2 letter code)

ST - State or Province Name (full name)

L - Locality Name (eg, city)

O - Organization Name (eg, company)

OU - Organizational Unit Name (eg, section)

CN - Common Name (eg, fully qualified host name)
Create a one-off self-signed certificate

Generate a private key

$ openssl genrsa -des3 -out key.pem 4096
Create a certificate signing request

$ openssl req -new -key key.pem -out csr.pem
Create self-signed certificate

$ openssl x509 -in csr.pem -out cert.pem -req -signkey key.pem -days 365
Create multiple self-signed certificates

Generate a private key for the CA

$ openssl genrsa -des3 -out key.pem -pkeyopt 4096
Create a root certificate

$ openssl req -new -x509 -key key.pem -sha256 -days 365 -out ca.pem
Generate a private key for the certificate

$ openssl genrsa -des3 -out pkey.pem 4096
Create a certificate signing request

$ openssl req -new -key pkey.pem -out csr.pem
Create a certificate and sign it with the CA certificate and key

$ openssl x509 -req -in csr.pem -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365
Export to .p12

$ openssl pkcs12 -export -clcerts -inkey pkey.key \
  -in cert.pem -out cert.p12
Verify certificates

Validate the certificate

$ # Validate a certificate chain with intermediate CA cert
$ openssl verify -CAfile ca.pem -untrusted intermediate.pem cert.pem
$ # Validate a certificate with CA cert
$ openssl verify -CAfile ca.pem cert.pem
$ # Validate a single certificate
$ openssl verify cert.pem
Retrieve subject and issuer

$ # Get certificate issuer
$ openssl x509 -in cert.pem -noout -issuer
$ # Get certificate subject
$ openssl x509 -in cert.pem -noout -subject