OpenSSL General Commands

Environment

• Debian 9.7 x64
• OpenSSL 1.1.0j 20 Nov 2018

Excerpt

• https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Log 2019 / 06

1. Generate Private Key & Certificate Signing Request

openssl req \
  -newkey rsa:2048 -nodes -keyout private.key \
  -out certificate.csr -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host" 

root@athos:~# openssl req \
>   -newkey rsa:2048 -nodes -keyout private.key \
>   -out certificate.csr -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

root@athos:~# openssl req -in certificate.csr -noout -text -verify

2. Generate Certificate Signing Request from existing Private Key

openssl req \
  -key private.key \
  -new -out certificate.csr -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

root@athos:~# openssl req \
>   -key private.key \
>   -new -out certificate.csr -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

3. Generate Self-Signed Certificate

openssl req \
  -newkey rsa:2048 -nodes -keyout private.key \
  -x509 -days 365 -out certificate.crt -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

root@athos:~# openssl req \
>   -newkey rsa:2048 -nodes -keyout private.key \
>   -x509 -days 365 -out certificate.crt -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

4. Generate Self-Signed Certificate from existing Private Key

openssl req \
  -key private.key \
  -new -x509 -days 365 -out certificate.crt \
  -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

root@athos:~# openssl req \
>   -key private.key \
>   -new -x509 -days 365 -out certificate.crt \
>   -subj "/C=MY/ST=Selangor/O=Zuhdi/CN=athos.host"

5. Generate Self-Signed Certificate from existing Private Key and Certificate Signing Request

openssl x509 \
  -signkey private.key \
  -in certificate.csr \
  -req -days 365 -out certificate.crt

root@athos:~# openssl x509 \
>   -signkey private.key \
>   -in certificate.csr \
>   -req -days 365 -out certificate.crt

6. Generate Certificate Signing Request from existing Certificate & Private Key (for certificate renewal)

openssl x509 \
  -in certificate.crt \
  -signkey private.key \
  -x509toreq -out certificate.csr

root@athos:~# openssl x509 \
>   -in certificate.crt \
>   -signkey private.key \
>   -x509toreq -out certificate.csr

7. Parse Certificate Signing Request PEM

root@athos:~# openssl req -in certificate.csr -noout -text -verify

8. Parse Certificate PEM

root@athos:~# openssl x509 -in certificate.crt -noout -text

9. Create Private Key (without password protected)

root@athos:~# openssl genrsa -out private.key 2048

10. Create Private Key (password protected)

root@athos:~# openssl genrsa -des3 -out private.key 2048

11. Verify Private Key

root@athos:~# openssl rsa -check -in private.key

12. Verify Private Key matches Certificate and Certificate Signing Request

root@athos:~# ls -lF
total 12
-rw-r--r-- 1 root root 1233 Jun  2 08:34 certificate.crt
-rw-r--r-- 1 root root 3416 Jun  2 08:39 certificate.csr
-rw------- 1 root root 1704 Jun  2 08:34 private.key
root@athos:~# openssl rsa -noout -modulus -in private.key | openssl sha1
(stdin)= 3250e44f94902999a85e6dce8c49273f2a1a4128
root@athos:~# openssl x509 -noout -modulus -in certificate.crt | openssl sha1
(stdin)= 3250e44f94902999a85e6dce8c49273f2a1a4128
root@athos:~# openssl req -noout -modulus -in certificate.csr | openssl sha1
(stdin)= 3250e44f94902999a85e6dce8c49273f2a1a4128

13. Encrypt Private Key

openssl rsa -des3 \
  -in private.key \
  -out private_encrypted.key

root@athos:~# openssl rsa -des3 \
>   -in private.key \
>   -out private_encrypted.key

14. Decrypt Private Key

openssl rsa \
  -in private.key \
  -out private_decrypted.key

root@athos:~# openssl rsa \
>   -in private.key \
>   -out private_decrypted.key

15. Convert PEM to DER

openssl x509 \
  -in certificate.crt \
  -outform der -out certificate.der

root@athos:~# openssl x509 \
>   -in certificate.crt \
>   -outform der -out certificate.der

root@athos:~# openssl x509 -in certificate.der -inform DER -noout -text

16. Convert DER to PEM

openssl x509 \
  -inform der -in certificate.der \
  -out certificate.crt

root@athos:~# openssl x509 \
>   -inform der -in certificate.der \
>   -out certificate.crt

root@athos:~# openssl x509 -in certificate.crt -noout -text

17. Convert PEM to PKCS12

openssl pkcs12 \
  -inkey private.key \
  -in certificate.crt \
  -export -out certificate.pfx

root@athos:~# openssl pkcs12 \
>   -inkey private.key \
>   -in certificate.crt \
>   -export -out certificate.pfx

18. Convert PKCS12 to PEM

openssl pkcs12 \
  -in certificate.pfx \
  -nodes -out certificate.combined.crt

root@athos:~# openssl pkcs12 \
>   -in certificate.pfx \
>   -nodes -out certificate.combined.crt