Reading
Create a folder
yury@u2004s01:~$ mkdir ca_tst
yury@u2004s01:~$ cd ca_tst
yury@u2004s01:~/ca_tst$
Common Steps
1 Private key
Private key creation with password
yury@u2004s01:~/ca_tst$ openssl genrsa -des3 -out server_withpasswd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................+++++
.....+++++
e is 65537 (0x010001)
Enter pass phrase for server_withpasswd.key:
Verifying - Enter pass phrase for server_withpasswd.key:
yury@u2004s01:~/ca_tst$ ls -l
total 4
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
Private key creation without password
yury@u2004s01:~/ca_tst$ openssl genrsa -out server_withoutpasswd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
...................................................+++++
e is 65537 (0x010001)
yury@u2004s01:~/ca_tst$ ls -l
total 8
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
yury@u2004s01:~/ca_tst$ openssl genrsa -des3 -out server_withpasswd1.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................+++++
........................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server_withpasswd1.key:
Verifying - Enter pass phrase for server_withpasswd1.key:
yury@u2004s01:~/ca_tst$ openssl rsa -in server_withpasswd1.key -out server_withoutpasswd1.key
Enter pass phrase for server_withpasswd1.key:
writing RSA key
yury@u2004s01:~/ca_tst$ ls -l
total 16
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
2 Certificate signing request
yury@u2004s01:~/ca_tst$ openssl req -new -key server_withpasswd.key -out server_withpasswd.csr
Enter pass phrase for server_withpasswd.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Ann Arbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDep
Common Name (e.g. server FQDN or YOUR name) []:mydomain.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Qq?1
An optional company name []:
yury@u2004s01:~/ca_tst$ ls -l
total 20
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:55 server_withpasswd.csr
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
yury@u2004s01:~/ca_tst$ openssl req -new -key server_withoutpasswd1.key -out server_withpasswd1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Ann Arbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDep
Common Name (e.g. server FQDN or YOUR name) []:mydomain.example.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Qq?1
An optional company name []:
yury@u2004s01:~/ca_tst$ ls -l
total 24
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:58 server_withpasswd1.csr
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:55 server_withpasswd.csr
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
3 Obtaining cerificate
Self signed certificate creation
- having csr-file (which is a request) and key-file (which is signkey)
yury@u2004s01:~/ca_tst$ openssl x509 -req -days 365 -in server_withpasswd.csr -signkey server_withpasswd.key -out server_withpasswd.crt
Signature ok
subject=C = US, ST = Michigan, L = Ann Arbor, O = MyCompany, OU = MyDep, CN = mydomain.example.com, emailAddress = [email protected]
Getting Private key
Enter pass phrase for server_withpasswd.key:
yury@u2004s01:~/ca_tst$ ls -l
total 28
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:58 server_withpasswd1.csr
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw-rw-r-- 1 yury yury 1359 Jan 10 10:03 server_withpasswd.crt
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:55 server_withpasswd.csr
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
yury@u2004s01:~/ca_tst$ openssl x509 -req -days 365 -in server_withpasswd1.csr -signkey server_withoutpasswd1.key -out server_withoutpasswd1.crt
Signature ok
subject=C = US, ST = Michigan, L = Ann Arbor, O = MyCompany, OU = MyDep, CN = mydomain.example.com, emailAddress = [email protected]
Getting Private key
yury@u2004s01:~/ca_tst$ ls -l
total 32
-rw-rw-r-- 1 yury yury 1359 Jan 10 10:05 server_withoutpasswd1.crt
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:58 server_withpasswd1.csr
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw-rw-r-- 1 yury yury 1359 Jan 10 10:03 server_withpasswd.crt
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:55 server_withpasswd.csr
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key
View certificate
yury@u2004s01:~/ca_tst$ openssl x509 -noout -text -in server_withpasswd.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
27:43:78:0f:09:80:a6:e5:65:26:66:2a:7d:b7:ed:fc:a0:2a:de:3b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Michigan, L = Ann Arbor, O = MyCompany, OU = MyDep, CN = mydomain.example.com, emailAddress = [email protected]
Validity
Not Before: Jan 10 10:03:24 2022 GMT
Not After : Jan 10 10:03:24 2023 GMT
Subject: C = US, ST = Michigan, L = Ann Arbor, O = MyCompany, OU = MyDep, CN = mydomain.example.com, emailAddress = [email protected]
...
- Note: Issuer == Subject for self-signed certificate
View Certificate Signing Request
yury@u2004s01:~/ca_tst$ openssl req -noout -text -in server_withpasswd.csr
yury@u2004s01:~/ca_tst$ openssl req -noout -text -in server_withpasswd.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = US, ST = Michigan, L = Ann Arbor, O = MyCompany, OU = MyDep, CN = mydomain.example.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ca:36:f4:46:75:7e:d6:01:9e:7f:77:3e:ec:ba:
85:78:3b:fc:92:5a:9e:28:56:d4:76:48:36:90:01:
...
Exponent: 65537 (0x10001)
Attributes:
challengePassword :Qq?1
Signature Algorithm: sha256WithRSAEncryption
70:39:89:af:07:d5:22:ca:f5:28:0d:5c:25:78:7f:9d:1d:a2:
0e:2f:bf:f9:b1:ab:1e:79:31:ea:46:20:65:a9:97:ea:b9:be:
...
View Certificate Key
yury@u2004s01:~/ca_tst$ openssl rsa -noout -text -in server_withpasswd.key
Enter pass phrase for server_withpasswd.key:
RSA Private-Key: (2048 bit, 2 primes)
modulus:
00:ca:36:f4:46:75:7e:d6:01:9e:7f:77:3e:ec:ba:
...
Self signed certificate in one command
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout server_withoutpasswd3.key -out server_withoutpasswd3.crt
yury@u2004s01:~/ca_tst$ openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout server_withoutpasswd3.key -out server_withoutpasswd3.crt
Generating a RSA private key
...........................................................................+++++
......................................+++++
writing new private key to 'server_withoutpasswd3.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Ann Arbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
Organizational Unit Name (eg, section) []:MyDep
Common Name (e.g. server FQDN or YOUR name) []:mydomain.example.com
Email Address []:[email protected]
yury@u2004s01:~/ca_tst$ ls -l
total 40
-rw-rw-r-- 1 yury yury 1359 Jan 10 10:05 server_withoutpasswd1.crt
-rw------- 1 yury yury 1675 Jan 10 09:35 server_withoutpasswd1.key
-rw-rw-r-- 1 yury yury 1480 Jan 10 10:25 server_withoutpasswd3.crt
-rw------- 1 yury yury 1708 Jan 10 10:23 server_withoutpasswd3.key
-rw------- 1 yury yury 1679 Jan 10 09:31 server_withoutpasswd.key
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:58 server_withpasswd1.csr
-rw------- 1 yury yury 1743 Jan 10 09:34 server_withpasswd1.key
-rw-rw-r-- 1 yury yury 1359 Jan 10 10:03 server_withpasswd.crt
-rw-rw-r-- 1 yury yury 1102 Jan 10 09:55 server_withpasswd.csr
-rw------- 1 yury yury 1751 Jan 10 09:30 server_withpasswd.key