Links

• startssl for sample steps to creating certificates.
• Example at Securing Traffic Between two Socat Instances Using SSL
• Good: Useful OpenSSL Commands
• openssl command line howto
• openssl manpage/docs
  • req subcommand
  • x509 subcommand
• Creating Certificate Authorities and self-signed SSL certificates
• Generate CSR for Apache SSL
• SO: Pem, cer, crt, key, pkcs, etc.
• SSL Test:  https://www.ssllabs.com/ssltest/

About: Key / Certificate / Certificate signing request

• All certificates are encrypted with a key file.
• A CA certificate could be self signed.
• A server or client certificate is usually signed by a CA cert/key (which may be self-signed.)
  • It could be self signed as well – but that's less useful.
  • Better to create a self signed CA key and sign all your client and server certs with that key. Then, the clients and servers can verify that the peer certificate is signed (with no chaining) with your CA key and keep the verification simple and robust.

• If you don't already have a key file, either for creating a self signed CA certificate, or for the server (or client), you can generate one this way.

  # Generate a new key and store in file "server.key".
  #
  # -des3 means that the server.key is encrypted and you need a password to read the key
  openssl genrsa -des3 -out server.key 4096
  

• Note: The server.key we generated is protected with a passphrase (-des3)

  • You can create a copy of it without a passphrase using

    openssl rsa -in server.key -out server.key.insecure
    mv server.key server.key.secure  
    mv server.key.insecure server.key
    

Create a self signed CA

• Generate the ca.key
  • openssl genrsa -out ca.key 4096
• Create a CSR
  • openssl req -sha256 -new -key ca.key -out ca.csr
• Sign the CSR with our own ca.key
  • openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
• Optionally, create a PEM encoded certificate trivially this way,
  • cat ca.key ca.crt > ca.pem
• Done.

Create a client or server certificate signed by this CA

• Generate the server or client key
  • openssl genrsa -out server.key 4096
• Create a CSR
  • openssl req -sha256 -new -key server.key -out server.csr
• Sign the CSR with our ca.key (this differs from the signing request for the CA by using -CA and -CAkey instead of -signkey.)
  • openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
• Done.

Operations on keys

# Extract just the public key.
openssl rsa -in key.pem -pubout > key.pub

# Create a copy without the passphrase
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure  
mv server.key.insecure server.key