diff --git a/OpenSSL.md b/OpenSSL.md index 1024f87..637e221 100644 --- a/OpenSSL.md +++ b/OpenSSL.md @@ -4,56 +4,77 @@ For my SSL keys and certificates I always use: * `.crt` for the certificates, * `.key` for the keys and * `.csr` for the CSRs -While technically not correct I think this is more verbose. + +While technically not correct, I think this is more verbose. ## General commands -* Generate a new private key and Certificate Signing Request +### Generate a new private key + +The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024. +`-outform PEM` controls the form of the key. Values are `PEM` and `DER`. + +``` +openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out key.key +``` + +### Generate a new private key and Certificate Signing Request ``` openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key ``` -* Generate a certificate signing request (CSR) for an existing private key +### Generate a certificate signing request (CSR) for an existing private key ``` openssl req -out signing_request.csr -key private_key.key -new ``` -* Generate a certificate signing request based on an existing certificate +### Generate a certificate signing request based on an existing certificate ``` openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key ``` -* Remove a passphrase from a private key +### Encrypt a Private Key ``` -openssl rsa -in old_private_key.key -out new_private_key.key +openssl rsa -des3 -in unencrypted.key -out encrypted.key +``` + +### Decrypt a Private Key + +``` +openssl rsa -in encrypted.key -out decrypted.key ``` ## Checking commands - -* Check a Certificate Signing Request (CSR) +### Check a Certificate Signing Request (CSR) ``` openssl req -text -noout -verify -in signing_request.csr ``` -* Check a private key +### Get information about a private key ``` -openssl rsa -in private_key.key -check +openssl rsa -text -noout -in private_key.key ``` -* Check a certificate +### Check a private key + +``` +openssl rsa -check -in private_key.key +``` + +### Check a certificate ``` openssl x509 -in certificate.crt -text -noout ``` -* Check a PKCS#12 file (.pfx or .p12) +### Check a PKCS#12 file (.pfx or .p12) ``` openssl pkcs12 -info -in keystore.p12 @@ -61,7 +82,7 @@ openssl pkcs12 -info -in keystore.p12 ## Debugging commands -* Compare md5 hashes of certificate, key and CSR +### Compare md5 hashes of certificate, key and CSR ``` openssl x509 -noout -modulus -in certificate.crt | openssl md5 @@ -69,8 +90,10 @@ openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5 ``` -* Check an SSL connection. All the certificates (including Intermediates) should be displayed +### Check an SSL connection. + +All certificates (including intermediates) should be displayed. ``` -openssl s_client -connect www.paypal.com:443 +openssl s_client -connect schlapa.eutea.forkmissile.de:443 ```