SSL Certificate Management - Quick Reference

Create SSL Certificate
- Create a Root CA
- Create Server Key, CSR and Certificate
How to verify SSL Certificates
References

Create SSL Certificate

Create a Root CA

## create CA key
## remove the -des3 option for non-password protected key 
openssl genrsa -des3 -out myserver-CA.key  4096

## self-sign CA Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out myserver-CA.pem

Create Server Key, CSR and Certificate

## Create a new SSL Key for server/app
openssl genrsa -out myserver.key 2048

Generate Certificate Signing Request and Key only

$ openssl req -newkey rsa:2048 \ 
  -keyout server.key \
  -out server.csr

Generate Certificate Signing Request with details as arguments

$ openssl req -new \
  -subj "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/CN=todo-https.apps.ocp4.example.com" \
  -key myserver.key \
  -out myserver.csr

Check and verify certificate details

$ openssl x509 -in server.crt -text -noout

Check a PKCS#12 file (.pfx or .p12)

$ openssl pkcs12 -info -in keyStore.p12

Check and verify Key file

$ openssl rsa -in server.key -check 

Verify CSR content

$ openssl req -in server.csr -noout -text
$ openssl req -in server.csr -noout -text -verify 

## Generate Certificate using CSR and CA
## openssl x509 -req -in <CSR FILE> \
##   -CA <CA FILE> -CAkey myserver-CA.key -CAcreateserial \
##   -passin file:passphrase.txt \
##   -out <EXPORT CRT> -days 3650 -sha256 -extfile myserver.ext
$ openssl x509 -req \
  -passin file:passphrase.txt \
  -CA myserver-CA.pem -CAkey myserver-CA.key -CAcreateserial \
  -in myserver.csr \
  -out myserver.crt \
  -days 1825 -sha256 -extfile myserver.ext

## verify certificte content
$ openssl x509 -in myserver.crt -text -noout

How to verify SSL Certificates

Verify Certificate and Key

You should get the same md5 output for all commands.

# certificate
$ openssl x509 –noout –modulus –in <file>.crt | openssl md5

# key
$ openssl rsa –noout –modulus –in <file>.key | openssl md5

# csr
$ openssl req -noout -modulus -in <file>.csr | openssl md5

Check the Key only

$ openssl rsa -check -noout -in myserver.key
RSA Key is ok

Change or remove passhphrase

Remove Passphrase from SSL key

$ openssl rsa -in original.key -out new.key

Change the passphrase of the SSL Key

$ openssl rsa -aes256 -in original.key -out new.key

Extract from PFX file

$ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

Extract Certificate from P7B file

$ openssl pkcs7 -inform PEM -outform PEM -in certnew.p7b -print_certs > certificate.cer

References

OpenSSL Commands

SSL Certificate Management - Quick Reference

Create SSL Certificate

Create a Root CA

Create Server Key, CSR and Certificate

How to verify SSL Certificates

Verify Certificate and Key

Change or remove passhphrase

Extract from PFX file

Extract Certificate from P7B file

References

Written by Gineesh Follow

Latest Stories

ChatGPT and Google Bard What is the Future of Software Development

5 Effective Methods for Continuous Learning in AI ML and DevOps Era

Why I Choose Digital Detoxification A Personal Journey

ChatGPT and Beyond Why Continuous Learning is Critical for IT Professionals

Why ChatGPT is Not Ideal for Generating Ansible Playbooks

Featured

ChatGPT and Beyond Why Continuous Learning is Critical for IT Professionals

Why is Kubernetes certification so important 5 reasons I noticed

Free GitOps and CICD Courses and Certifications

Terraform Cheat Sheet

Kubernetes vs OpenShift 8211 15 Facts You Should Know

Introduction to OpenShift BootCamp

How to set up and use Python virtual environments for Ansible

5 Mistakes You Should Avoid During Kubernetes Exam

10 Tips for your Kubernetes Exam 8211 CKA 038 CKAD

CKA CKS 038 CKAD Learning Path and Certification