OpenSSL

OpenSSL.md

@@ -1 +1,76 @@
 # OpenSSL
+
+For my SSL keys and certificates I always use:
+* `.crt` for the certificates,
+* `.key` for the keys and
+* `.csr` for the CSRs
+While technically not correct I think this is more verbose.
+
+## General commands
+
+* Generate a new private key and Certificate Signing Request
+
+```
+openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key
+```
+
+* Generate a certificate signing request (CSR) for an existing private key
+
+```
+openssl req -out signing_request.csr -key private_key.key -new
+```
+
+* Generate a certificate signing request based on an existing certificate
+
+```
+openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key
+```
+
+* Remove a passphrase from a private key
+
+```
+openssl rsa -in old_private_key.key -out new_private_key.key
+```
+
+## Checking commands
+
+
+* Check a Certificate Signing Request (CSR)
+
+```
+openssl req -text -noout -verify -in signing_request.csr
+```
+
+* Check a private key
+
+```
+openssl rsa -in private_key.key -check
+```
+
+* Check a certificate
+
+```
+openssl x509 -in certificate.crt -text -noout
+```
+
+* Check a PKCS#12 file (.pfx or .p12)
+
+```
+openssl pkcs12 -info -in keystore.p12
+```
+
+## Debugging commands
+
+* Compare md5 hashes of certificate, key and CSR
+
+```
+openssl x509 -noout -modulus -in certificate.crt | openssl md5
+openssl rsa -noout -modulus -in privateKey.key | openssl md5
+openssl req -noout -modulus -in CSR.csr | openssl md5
+```
+
+* Check an SSL connection. All the certificates (including Intermediates) should be displayed
+
+```
+openssl s_client -connect www.paypal.com:443
+```