openssl howto

This is a very simple openssl howto. I made this maynly because I'm mostly to lazy to remember how to make a key and a csr (certificate signing request). Here are the steps you have to enter at your commandline to get a key and csr file:

Create a password protected key:

openssl genrsa -des3 -out domainname.key 2048

Or a non password protected one

openssl genrsa -out domainname.key 2048

Create the signing request. Enter the url or email address in the CN (Common Name) field

openssl req -new -key domainname.key -out domainname.csr

Verify your input:

openssl req -noout -text -in domainname.csr

Here is another example on how to make a self signed cert with one command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem

When you get a certicate, you probably like to check what's in it:

openssl x509 -text -in cert.pem

And for some applications you need the fingerprint of the certificate, here are two variants for md5 and sha1 fingerprints:

openssl x509 -md5 -fingerprint -in cert.pem
openssl x509 -sha1 -fingerprint -in cert.pem

When you get a password protected cert and don't like to enter the passphrase each time a deamon gets started, you can unlock it with the following command:

openssl rsa -in certin.pem -out certout.pem

Sometimes you have to deal with PKCS#12 certificate files, they can be converted from and to PEM format. First line converts pem to PKCS#12, second line does the opposite (PKCS#12 file have sometome the extension .pfx and sometimes .p12):

openssl pkcs12 -export -out mycert.p12 -in mycert.pem -name "Certificate"
openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes