In my May 2011 post "SSL Management Tasks" I included some partially automated scripts for openssl on Windows and Linux/UNIX. This is a more in depth look at certain openssl tasks and the associated commands.
Private Keys - Public-key (or asymmetric) cryptography uses private keys to decrypt messages and public keys to encrypt them. Generating a private key is the first step to creating a certificate signing request or a self-signed certificate. Run the openssl command:
Explaining the openssl command options in order:
Explaining the openssl command options in order:
Explaining the openssl command options in order:
http://openssl.org/docs/apps/openssl.html
http://en.wikipedia.org/wiki/Digital_certificates
http://en.wikipedia.org/wiki/Asymmetric_key_algorithm
Your feedback is needed! If this post was helpful, incorrect or could be better, please comment below.
Also see these my SSL related posts:
SSL Management Tasks
SSL Management Tasks RevisitedRetrieve SSL certificates
Private Keys - Public-key (or asymmetric) cryptography uses private keys to decrypt messages and public keys to encrypt them. Generating a private key is the first step to creating a certificate signing request or a self-signed certificate. Run the openssl command:
$ openssl genrsa -out private.key 2048Explaining the openssl command options in order:
- "genrsa" The standard openssl command to create a new key using the RSA algorithm. There are other algorithms available, however RSA is preferred.
- "2048" Use a custom 2048 bit modulus. If omitted, the default is an unacceptable 512 bits. The modulus is essentially the key's size: larger keys equal stronger encryption. Certificate Authorities generally do not accept values greater than 3072 yet keys with an 8192 bit modulus can be quickly generated.
- "-out" Output the private key to a file. If omitted, the key is sent to stdout.
$ openssl req -key private.key -new -out server.csrExplaining the openssl command options in order:
- "req" The standard openssl command for X.509 Certificate Signing Request (CSR) management.
- "-key" Use the provided private key file to sign the CSR. The private key file's modulus determines the resulting public key modulus.
- "-new" Generate a new CSR from user input. No input file is provided/required.
- "-out" Output the private key to a file. If omitted, the result is sent to stdout.
$ openssl req \
-key private.key \
-new -x509 \
-days 1440 \
-out public.crt
Explaining the openssl command options in order:
- "req" The standard openssl command for X.509 Certificate Signing Request (CSR) management.
- "-key" Use the provided private key file to sign the CSR. The private key file's modulus determines the resulting public key modulus.
- "-new" Generate a new CSR from user input. No input file is provided/required.
- "-x509" Self-sign the CSR as an SSL certificate.
- "-days" Use a custom number of days before certificate expiration. If omitted, the default is an unacceptable 30 days. The suggested 1440 days is approx. 4 years.
- "-out" Output the public key to a file. If omitted, the result is sent to stdout.
$ openssl req \
-newkey rsa:2048 -nodes \
-keyout private.key \
-x509 -days 1440 \
-out public.crt
Explaining the openssl command options in order:
- "-newkey" Generate a new private key file to sign the CSR.
- "rsa:2048" Generate private key using the RSA algorithm and a 2048 bit modulus.
- "-nodes" Do not DES encrypt the private key file or prompt for a password.
- "-keyout" Output the private key to a file.
- "-x509" Self-sign the CSR as an SSL certificate.
- "-days" Use a custom number of days before certificate expiration.
- "-out" Output the public key to a file. If omitted, the result is sent to stdout.
$ openssl pkcs12 \
-inkey private.key \
-in public.crt \
-name "Friendly Name" \
-export -out bundle.p12
Explaining the openssl command options in order:
- "-inkey" The private key file used to generate the public key.
- "-in" The public key file generated from the public key file.
- "-name" Include a friendly name for compatibility importing the PKCS#12 file later.
- "-export" A PKCS#12 file will be created, not parsed.
- "-out" Output the PKCS#12 to a file. If omitted, the result is sent to stdout.
$ openssl rsa -in private.key -text -nooutCheck back soon for a post on those openssl validation tasks. When writing this post used the following sites extensively:
$ openssl req -in server.csr -text -noout
$ openssl x509 -in public.crt -text -noout
$ openssl pkcs12 -in bundle.p12 -info -nokeys
http://openssl.org/docs/apps/openssl.html
http://en.wikipedia.org/wiki/Digital_certificates
http://en.wikipedia.org/wiki/Asymmetric_key_algorithm
Your feedback is needed! If this post was helpful, incorrect or could be better, please comment below.
Also see these my SSL related posts:
SSL Management Tasks
SSL Management Tasks RevisitedRetrieve SSL certificates
Comments