To generate a triple DES private key which has to be encrypted with pass phrase, 1024 bits used for key, randfile[s] containing random data used to seed the random number generator

openssl genrsa -des3 -out mykey.pem [-rand randfiles] 1024
chmod 400 mykey.pem

To generate an RSA key pair

openssl genrsa -out privatekey.pem 2048

To generate DSA parameters

openssl dsaparam -outform DER -out param.der -text 1024

To generate a DSA private key (requires a DSA parameter PEM file)

openssl gendsa -out dsaprv.pem param.pem

To print DSA parameters

openssl dsaparam -outform DER -genkey -out param.der -text 1024

To print out the components of a private key to standard out:

openssl rsa -noout -text -in key.pem

To change the pass phrase in the private key:

cp key.pem key.pem.old
openssl rsa -in key.pem.old -out key.pem

To convert a private key from PEM to DER format:

openssl rsa -in userkey.pem -out userkey.der -outform DER 

Output in DER the private key

openssl rsa -in privatekey.pem -out privatekey.der -outform DER

Output the public key in PEM or DER

openssl rsa -in privatekey.pem -out pubkey.pem -pubout [-outform DER]

• Create your Root CA's keys, and its self signed certificate

$ openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -out cacert.pem -days 1000 -outform PEM
or:  openssl req -passout file:./passwd -x509 -newkey rsa -out rootcert.pem -config ./openssl.cnf -batch -sha1

• For each node, create their keys:

openssl genrsa -des3 -out nodekey.pem 2048

• For each node, create a certificate request (CSR):

openssl req -new -key nodekey.pem -out node.csr -days 1000 [-extensions user_ext]

• or all first three steps in one command: openssl req -newkey rsa:2048 -keyout … -out … -days

• Send the signed certificate requests to your CA. The CA should verify the certificate request:

   openssl req -noout -text -verify -in userreq.pem

• and sign it if everything is okay:

$ openssl x509 -req -in node.csr -out nodecert.pem -CAkey cakey.pem -CA cacert.pem -CAcreateserial -days 1000

TO DO: openssl ca -in testreq.pem -passin file:./passwd -out testcert.pem -config ./openssl.cnf -extensions v3_ca

$ openssl x509 -inform PEM -text < certificate.pem
or: openssl x509 -noout -text -in cert.pem

To display the certificate MD5 fingerprint:

openssl x509 -noout -fingerprint -in cert.pem

To display the certificate SHA1 fingerprint:

openssl x509 -noout -sha1 -fingerprint -in cert.pem

To verify certificate chains:

openssl verify [-CApath directory] cert.pem

To convert a certifcate from PEM to DER format:

openssl x509 -in cert.pem -out cert.der -outform DER 

To create a PKCS#12 file:

cat cert1.pem cert2.pem mycert.pem > certs.pem
openssl pkcs12 -export -in certs.pem -inkey mykey.pem -out user.p12 -name "Blah"

or in a single step:

openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out user.p12 -certfile othercerts.pem -name "Blah"

openssl pkcs12 -noout -info -in user.p12