Your shopping cart is empty.

The Joy of OpenSSL

Get into the correct directory:
cd /etc/pki/tls/certs

Generate key
openssl genrsa -des3 -out mike.key 4096
chmod 600 mike.key

Generate signing request
openssl req -new -key mike.key -out mike.csr
chmod 600 mike.csr

Get the CA to sign the request
openssl x509 -req -days 10000 -in mike.csr -out mike.cert \
-CA /etc/pki/tls/certs/ \
-CAkey /etc/pki/tls/certs/ -CAcreateserial

openssl pkcs12 -export -in mike.cert -inkey mike.key -out mike.p12

Other OpenSSL Tricks

To strip the passphrase from a key (I.E. decrypt it)
openssl rsa -in mike.key -out mike-nopass.key

To display a cert's contents:
openssl x509 -text -in mike.cert

Create a PEM file with key and cert included:
cat mike-nopass.key mike.cert > mike.pem

Verify that a cert is ok to use as an HTTPS cert:
openssl verify -purpose sslserver -CAfile /etc/pki/CA/cacert.pem /etc/pki/CA/certs/Milnet_HTTP.crt

Creating a new CA

  1. cd /etc/pki/CA
  2. openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ArmyCA.key -out certs/ArmyCA.crt -days 5000
  3. chmod 400 private/ArmyCA.key
  4. cd private
  5. ln -s ArmyCA.key cakey.pem
  6. cd ..
  7. ln -s certs/ArmyCA.crt cacert.pem
  8. openssl req -config ../tls/openssl.cnf -new -nodes -keyout private/Milnet_HTTP.key -out Milnet_HTTP.csr -days 5000
  9. openssl ca -config ../tls/openssl.cnf -policy policy_anything -out certs/Milnet_HTTP.crt -infiles Milnet_HTTP.csr
  10. cat certs/Milnet_HTTP.crt private/Milnet_HTTP.key > private/Milnet_HTTP-key-cert.pem