SSL Certificate Management - Quick Reference

• Create SSL Certificate
  • Create a Root CA
  • Create Server Key, CSR and Certificate
• How to verify SSL Certificates
  • Verify Certificate and Key
  • Change or remove passhphrase
  • Extract from PFX file
  • Extract Certificate from P7B file
• References

Create SSL Certificate

Create a Root CA

## create CA key
## remove the -des3 option for non-password protected key 
openssl genrsa -des3 -out myserver-CA.key  4096

## self-sign CA Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out myserver-CA.pem

Create Server Key, CSR and Certificate

## Create a new SSL Key for server/app
openssl genrsa -out myserver.key 2048

Generate Certificate Signing Request and Key only

$ openssl req -newkey rsa:2048 \ 
  -keyout server.key \
  -out server.csr

Generate Certificate Signing Request with details as arguments

$ openssl req -new \
  -subj "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/CN=todo-https.apps.ocp4.example.com" \
  -key myserver.key \
  -out myserver.csr

Check and verify certificate details

$ openssl x509 -in server.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

$ openssl pkcs12 -info -in keyStore.p12

Check and verify Key file

$ openssl rsa -in server.key -check 

Verify CSR content

$ openssl req -in server.csr -noout -text
$ openssl req -in server.csr -noout -text -verify 

## Generate Certificate using CSR and CA
## openssl x509 -req -in <CSR FILE> \
##   -CA <CA FILE> -CAkey myserver-CA.key -CAcreateserial \
##   -passin file:passphrase.txt \
##   -out <EXPORT CRT> -days 3650 -sha256 -extfile myserver.ext
$ openssl x509 -req \
  -passin file:passphrase.txt \
  -CA myserver-CA.pem -CAkey myserver-CA.key -CAcreateserial \
  -in myserver.csr \
  -out myserver.crt \
  -days 1825 -sha256 -extfile myserver.ext

## verify certificte content
$ openssl x509 -in myserver.crt -text -noout

How to verify SSL Certificates

Verify Certificate and Key

You should get the same md5 output for all commands.

# certificate
$ openssl x509 –noout –modulus –in <file>.crt | openssl md5

# key
$ openssl rsa –noout –modulus –in <file>.key | openssl md5

# csr
$ openssl req -noout -modulus -in <file>.csr | openssl md5

Check the Key only

$ openssl rsa -check -noout -in myserver.key
RSA Key is ok

Change or remove passhphrase

Remove Passphrase from SSL key

$ openssl rsa -in original.key -out new.key

Change the passphrase of the SSL Key

$ openssl rsa -aes256 -in original.key -out new.key

Extract from PFX file

$ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

Extract Certificate from P7B file

$ openssl pkcs7 -inform PEM -outform PEM -in certnew.p7b -print_certs > certificate.cer

References

• OpenSSL Commands