Common OpenSSL Commands

These are some common OpenSSL commands.

Generating Keys/Certs

  • Generate new CSR and private key: openssl req -out csr.csr -new -sha256 -newkey rsa:4096 -nodes -keyout key.key
  • Generate CSR for an existing key: openssl req -out csr.csr -key key.key -new -sha256
  • Generate self signed cert and key: openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout key.key -out cert.crt
  • Generate CSR from an existing certificate: openssl x509 -x509toreq -in certificate.crt -out csr.csr -signkey key.key
  • Remove a password from a key: openssl rsa -in key-password.key -out key.key

Converting Files

  • Convert DER to PEM: openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert PFX/PKCS#12 to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
  • Convert PEM to PFX/PKCS#12: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Configuration File

To generate a new key and a CSR from a OpenSSL configuration file (eg. so there is no input required on the terminal and its easy to script):

  1. Create the configuration file, eg.:
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = NA
localityName               = N/A
organizationName           = My Company
commonName                 = hostname.to.sign.com
[ req_ext ]
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
[alt_names]
DNS.1   = hostname.to.sign.com
#
# Additional host names (Subject Alternative Names) can be added by adding new DNS lines.
# The number for the name must be unique, eg:
#DNS.2   = another.hostname.to.sign.com
#
# IP's can be added as well both IPv4 and IPv6. The number for each IP address must also be unique, eg:
#IP.3    = 192.168.1.1
#IP.4    = ffff::1
  1. Run the OpenSSL command with the -config option: openssl req -new -out csr.txt -newkey rsa:4096 -nodes -sha256 -keyout key.txt -config ssl.conf

Leave a Reply

Your email address will not be published.