To see the contents of a certificate:
openssl x509 -in my.cer -text -noout
To request a new certificate and key:
openssl req -newkey 2048 -out new.csr -keyout new.key
To create a quick’n’dirty self-signed cert:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 730 -nodes -subj '/CN=localhost'
To remove the password from a key:
openssl rsa -in mysecure.key -out new.key
To sign a request with a cert authority, specific serial number (so no local serial file is used) and specific expiration:
openssl x509 -req -in ./mars.csr -inform PEM -CAkey ./idf/cakey.pem -CA ./idf/cacert.crt -out ./mars.cer -set_serial 1 -days 730
To sign a request for a cert for a CA (e.g. self-signed or for an intermediate authority) be sure to include the CA extensions:
openssl ca -in server/requests/some-ca.csr -days 730 -out server/certs/some-ca.cer -extensions v3_ca
To convert a base64-encoded cert to a binary cert:
openssl x509 -in my.crt -inform PEM -out my.pem -outform DER
To convert a base64-encoded key to a binary key:
openssl rsa -in key.pem -inform PEM -out keybin.pem -outform DER
To generate a new CSR from an existing cert and key:
openssl x509 -x509toreq -in <filename for existing crt> -signkey <filename for existing key> -out <filename for csr>
The smkeytool exports the private key in PKCS8 format with the passphrase provided by the user during the export itself. To reformat the key into base64 format without the passphrase:
openssl pkcs8 -in exportedEncryptedKey.key -inform DER -passin pass:<passphrase>
To use OpenSSL as a client, which is useful to retrieve a certificate from a server (e.g. LDAP SSL):
openssl s_client -connect <server>:<port>
To ensure a private key matches the public key, verify the modulus for each is the same:
openssl x509 -in public.cert -noout -modulus
openssl rsa -in private.key -noout -modulus
To convert a cert & private key into a single PFX file (note that the input cert must be PEM format, that is, base64 encoded, not binary):
openssl pkcs12 -inkey my.key -in my.cer -export -out my.pfx -name <alias>
To extract the private key from a PFX file:
openssl pkcs12 -in mycert.pfx -nocerts -out my.key
To import a PFX cert + key into a JKS:
keytool -importkeystore -srckeystore my.pfx -srcstoretype pkcs12 -destkeystore my.certs -deststoretype JKS
Quick and Dirty RHEL CA and SSL Cert
Set up OpenSSL RHEL Root CA:
# cd /etc/pki/CA
# echo 1000 > serial
# touch index.txt
# openssl genrsa -aes256 -out private/root.key 4096 (password="secret")
# openssl req -new -x509 -days 3650 -key private/root.key -sha256 -extensions v3_ca -out certs/root.cer
# chmod 400 private/root.key
Issue Server SSL cert:
# openssl genrsa -out private/smlnx1.sso.local.key 4096 # chmod 400 private/smlnx1.sso.local.key # openssl req -sha256 -new -key private/smlnx1.sso.local.key -out certs/smlnx1.sso.local.csr Country Name (2 letter code) [US]: State or Province Name (full name) [Delaware]: Locality Name (eg, city) [Wilmington]: Organization Name (eg, company) [Sand Security Services LLC]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:smlnx1.sso.local Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # openssl ca -keyfile private/root.key -cert certs/root.cer -extensions usr_cert -notext -md sha256 -in certs/smlnx1.sso.local.csr -out certs/smlnx1.sso.local.cer # chmod 444 certs/smlnx1.sso.local.cer