//This page gathers my own personal notes explaining how to use OpenSSL's command line utility.//

====== Keys and requests ======

===== Generating keys =====

To generate a triple DES private key which has to be encrypted with pass phrase, 1024 bits used for key, randfile[s] containing random data used to seed the random number generator
<code>
openssl genrsa -des3 -out mykey.pem [-rand randfiles] 1024
chmod 400 mykey.pem
</code>

To generate an RSA key pair
<code>
openssl genrsa -out privatekey.pem 2048
</code>

To generate DSA parameters
<code>
openssl dsaparam -outform DER -out param.der -text 1024
</code>

To generate a DSA private key (requires a DSA parameter PEM file)
<code>
openssl gendsa -out dsaprv.pem param.pem
</code>


    
===== Displaying information =====

To print DSA parameters
<code>
openssl dsaparam -outform DER -genkey -out param.der -text 1024
</code>

To print out the components of a private key to standard out:
<code>
openssl rsa -noout -text -in key.pem
</code>


===== Changing the passphrase =====
    
To change the pass phrase in the private key:
<code>
cp key.pem key.pem.old
openssl rsa -in key.pem.old -out key.pem
</code>

===== Conversions =====

To convert a private key from PEM to DER format:
<code>
openssl rsa -in userkey.pem -out userkey.der -outform DER 
</code>

Output in DER the private key
<code>
openssl rsa -in privatekey.pem -out privatekey.der -outform DER
</code>

Output the public key in PEM or DER 
<code>
openssl rsa -in privatekey.pem -out pubkey.pem -pubout [-outform DER]
</code>
               


====== Certificates ======

===== Creating certificates =====

  * Create your Root CA's keys, and its self signed certificate
<code>
$ openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 1000 -outform PEM
or:  openssl req -passout file:./passwd -x509 -newkey rsa -out rootcert.pem -config ./openssl.cnf -batch -sha1
</code>

  * For each node, create their keys:
<code>
openssl genrsa -des3 -out nodekey.pem 2048
</code>

  * For each node, create a certificate request (CSR):
<code>
openssl req -new -key nodekey.pem -out node.csr -days 1000 [-extensions user_ext]
</code>

  * or all first three steps in one command: openssl req -newkey rsa:2048 -keyout ... -out ... -days

  * Send the signed certificate requests to your CA. The CA should verify the certificate request:
<code>
   openssl req -noout -text -verify -in userreq.pem
</code>

  * and sign it if everything is okay:
<code>
$ openssl x509 -req -in node.csr -out nodecert.pem -CAkey cakey.pem -CA cacert.pem -CAcreateserial -days 1000
</code>

TO DO:
openssl ca -in testreq.pem -passin file:./passwd -out testcert.pem -config ./openssl.cnf -extensions v3_ca

===== Viewing certificates =====

<code>
$ openssl x509 -inform PEM -text < certificate.pem
or: openssl x509 -noout -text -in cert.pem
</code>

To display the certificate MD5 fingerprint:
<code>
openssl x509 -noout -fingerprint -in cert.pem
</code>

To display the certificate SHA1 fingerprint:
<code>
openssl x509 -noout -sha1 -fingerprint -in cert.pem
</code>

===== Verify certificates =====

To verify certificate chains:
<code>
openssl verify [-CApath directory] cert.pem
</code>

===== Conversions =====

To convert a certifcate from PEM to DER format:
<code>
openssl x509 -in cert.pem -out cert.der -outform DER 
</code>

====== PKCS#12 ======

===== Create a PKCS#12 =====

To create a PKCS#12 file:
<code>
cat cert1.pem cert2.pem mycert.pem > certs.pem
openssl pkcs12 -export -in certs.pem -inkey mykey.pem -out user.p12 -name "Blah"
</code>

or in a single step:
<code>
openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out user.p12 -certfile othercerts.pem -name "Blah"
</code>

===== Print information =====

<code>
openssl pkcs12 -noout -info -in user.p12
</code>