{"id":8,"date":"2016-06-08T04:35:01","date_gmt":"2016-06-08T04:35:01","guid":{"rendered":"http:\/\/www.f-bit.net\/?p=8"},"modified":"2021-01-11T20:04:03","modified_gmt":"2021-01-11T20:04:03","slug":"openssl-cheat-sheet","status":"publish","type":"post","link":"https:\/\/www.f-bit.net\/?p=8","title":{"rendered":"OpenSSL cheat sheet"},"content":{"rendered":"<ul>\n<li>To generate an RSA key:<\/li>\n<\/ul>\n<p>openssl genrsa -out &lt;filename to save key to&gt; &lt;bitstrength of key&gt;<br \/>\neg: to generate a 4096-bit key and save it to &#8220;private.key&#8221;, run the following command &#8211; <i>openssl genrsa -out private.key 4096<\/i><\/p>\n<ul>\n<li>To generate an Elliptic Curve key:<\/li>\n<\/ul>\n<p>openssl ecparam -out &lt;filename to save key to&gt; -name &lt;curve to use&gt; -genkey<\/p>\n<p>eg. to generate a key using the secp521r1 curve (NIST curves seem to be supported by more TLS enabled applications), run the following command &#8211; <em>openssl ecparam -out wildcard.fishbowl.lan.key -name secp521r1 -genkey<\/em><\/p>\n<ul>\n<li>To generate a CSR (aka Certificate Signing Request) from a key:<\/li>\n<\/ul>\n<p>openssl req -sha256 -new -key &lt;key filename&gt; -out &lt;csr filename&gt;<br \/>\nit is recommended to use -sha256 as -sha1 (default setting) is not considered secure anymore<br \/>\nExample command is: <i>openssl req -new -sha256 -key private.key -out private.csr<\/i><\/p>\n<ul>\n<li>To sign a CSR with your CA (Certificate Authority) certificate:<\/li>\n<\/ul>\n<p>openssl ca -keyfile &lt;CA certificate key file&gt; -cert &lt;CA public certificate file&gt; -notext -md sha512 -days &lt;validity length, usually multiples of 365&gt; -in &lt;CSR file&gt; -out &lt;public certificate file&gt;<br \/>\nIt is recommended to use <b>-md sha512<\/b> for security purposes<br \/>\nExample command is: <i>openssl ca -keyfile rootCA.key -cert rootCA.crt -notext -md sha512 -days 730 -in private.csr -out public.crt<\/i><\/p>\n<p>Sidenote: to use a section of your openssl.conf to, for instance, create an intermediate certificate, include the parameter &#8220;-extensions v3_intermediate_ca&#8221;<\/p>\n<ul>\n<li>To generate a self-signed CA certificate from your CSR (used to sign your other certificates):<\/li>\n<\/ul>\n<p>openssl req -new -x509 -days &lt;length of validity&gt; -key &lt;keyfile&gt; -out &lt;CA certificate file&gt;<br \/>\nIt is recommended to specify a long duration for -days since once your root CA certificate becomes invalid, so do all the certificates it was used to sign.<br \/>\nExample command is: <i>openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt<\/i><\/p>\n<ul>\n<li>To convert a separate x509 PEM encoded certificate and keyfile to a single file (for instance, client certificate authentication purposes) to a PKCS12\/PFX format:<\/li>\n<\/ul>\n<p>openssl pkcs12 -export -out &lt;PFX file&gt; -inkey &lt;Private key file&gt; -in &lt;Public certificate file&gt; -certfile &lt;CA file used to sign original public certificate&gt;<br \/>\nExample command is: <i>openssl pkcs12 -export -out client-auth.pfx -inkey private.key -in public.crt -certfile rootCA.crt<\/i><\/p>\n<ul>\n<li>To check the information in a certificate file:<\/li>\n<\/ul>\n<p>openssl x509 -in &lt;certificate file&gt; -text -noout<br \/>\nThis will display all the certificate information in the terminal. Hopefully no example command is needed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To generate an RSA key: openssl genrsa -out &lt;filename to save key to&gt; &lt;bitstrength of key&gt; eg: to generate a 4096-bit key and save it to &#8220;private.key&#8221;, run the following command &#8211; openssl genrsa -out private.key 4096 To generate an Elliptic Curve key: openssl ecparam -out &lt;filename to save key to&gt; -name &lt;curve to use&gt; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8"}],"version-history":[{"count":3,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/posts\/8\/revisions"}],"predecessor-version":[{"id":55,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=\/wp\/v2\/posts\/8\/revisions\/55"}],"wp:attachment":[{"href":"https:\/\/www.f-bit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.f-bit.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}