# OpenSSL For my SSL keys and certificates I always use: * `.crt` for the certificates, * `.key` for the keys and * `.csr` for the CSRs While technically not correct, I think this is more verbose. ## General commands ### Generate a new private key The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024. `-outform PEM` controls the form of the key. Values are `PEM` and `DER`. If you want to encrypt the key add the following parameters: `-aes-128-cbc -pass pass:test123`. Instead of `-aes-128-cbc` you can use other ciphers (e.g. `-des3`). If you omit the `-pass` argument you will be asked for a password. ``` openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out private_key.key ``` ### Generate a new private key and certificate ``` openssl req -x509 -newkey rsa:4096 -keyout private_key.key -out certificate.crt -sha256 -days 365 ``` ### Generate a new private key and certificate signing request (CSR) ``` openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key -sha256 ``` ### Generate a certificate signing request (CSR) for an existing private key ``` openssl req -out signing_request.csr -key private_key.key -new -sha256 ``` ### Pass Subject and SubjectAlternativeName directly: ``` -subj "/C=DE/CN=example.tld" -addext "subjectAltName=DNS:example.tld,DNS:example2.tld,IP:127.0.0.1" ``` ### Generate a certificate signing request based on an existing certificate ``` openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key ``` ### Encrypt a (RSA) private key ``` openssl rsa -des3 -in unencrypted.key -out encrypted.key ``` ### Decrypt a (RSA) private key ``` openssl rsa -in encrypted.key -out decrypted.key ``` ## Checking commands ### Check a Certificate Signing Request (CSR) ``` openssl req -text -noout -verify -in signing_request.csr ``` ### Get information about a private key ``` openssl rsa -text -noout -in private_key.key ``` ### Check a private key ``` openssl rsa -check -in private_key.key ``` ### Check a certificate ``` openssl x509 -text -noout -in certificate.crt ``` ### Check a PKCS#12 file (.pfx or .p12) ``` openssl pkcs12 -info -in keystore.p12 ``` ## Debugging commands ### Compare md5 hashes of certificate, key and CSR ``` openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in private_key.key | openssl md5 openssl req -noout -modulus -in signing_request.csr | openssl md5 ``` ### Check an SSL connection. All certificates (including intermediates) should be displayed. ``` openssl s_client -connect gitea.forkmissile.de:443 ```