This page gathers my own personal notes explaining how to use OpenSSL's command line utility.
To generate a triple DES private key which has to be encrypted with pass phrase, 1024 bits used for key, randfile[s] containing random data used to seed the random number generator
openssl genrsa -des3 -out mykey.pem [-rand randfiles] 1024 chmod 400 mykey.pem
To generate an RSA key pair
openssl genrsa -out privatekey.pem 2048
To generate DSA parameters
openssl dsaparam -outform DER -out param.der -text 1024
To generate a DSA private key (requires a DSA parameter PEM file)
openssl gendsa -out dsaprv.pem param.pem
To print DSA parameters
openssl dsaparam -outform DER -genkey -out param.der -text 1024
To print out the components of a private key to standard out:
openssl rsa -noout -text -in key.pem
To change the pass phrase in the private key:
cp key.pem key.pem.old openssl rsa -in key.pem.old -out key.pem
To convert a private key from PEM to DER format:
openssl rsa -in userkey.pem -out userkey.der -outform DER
Output in DER the private key
openssl rsa -in privatekey.pem -out privatekey.der -outform DER
Output the public key in PEM or DER
openssl rsa -in privatekey.pem -out pubkey.pem -pubout [-outform DER]
$ openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 1000 -outform PEM or: openssl req -passout file:./passwd -x509 -newkey rsa -out rootcert.pem -config ./openssl.cnf -batch -sha1
openssl genrsa -des3 -out nodekey.pem 2048
openssl req -new -key nodekey.pem -out node.csr -days 1000 [-extensions user_ext]
openssl req -noout -text -verify -in userreq.pem
$ openssl x509 -req -in node.csr -out nodecert.pem -CAkey cakey.pem -CA cacert.pem -CAcreateserial -days 1000
TO DO: openssl ca -in testreq.pem -passin file:./passwd -out testcert.pem -config ./openssl.cnf -extensions v3_ca
$ openssl x509 -inform PEM -text < certificate.pem or: openssl x509 -noout -text -in cert.pem
To display the certificate MD5 fingerprint:
openssl x509 -noout -fingerprint -in cert.pem
To display the certificate SHA1 fingerprint:
openssl x509 -noout -sha1 -fingerprint -in cert.pem
To verify certificate chains:
openssl verify [-CApath directory] cert.pem
To convert a certifcate from PEM to DER format:
openssl x509 -in cert.pem -out cert.der -outform DER
To create a PKCS#12 file:
cat cert1.pem cert2.pem mycert.pem > certs.pem openssl pkcs12 -export -in certs.pem -inkey mykey.pem -out user.p12 -name "Blah"
or in a single step:
openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out user.p12 -certfile othercerts.pem -name "Blah"
openssl pkcs12 -noout -info -in user.p12