***** Create a self signed cert ************ 1) openssl genrsa 1024 > client-key.pem 2) openssl req -new -x509 -nodes -sha1 -days 1000 -key client-key.pem > client-cert.pem 3) note md5 would be -md5 -- adding metadata to beginning 3) openssl x509 -in client-cert.pem -text > tmp.pem 4) mv tmp.pem client-cert.pem ***** Create a CA, signing authority ********** same as self signed, use ca prefix instead of client ***** Create a cert signed by CA ************** 1) openssl req -newkey rsa:1024 -sha1 -days 1000 -nodes -keyout server-key.pem > server-req.pem * note if using existing key do: -new -key keyName 2) copy ca-key.pem ca-cert.srl (why ????) 3) openssl x509 -req -in server-req.pem -days 1000 -sha1 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem ***** Adding Subject Key ID and Authentication Key ID extensions to a cert ***** Create a config file for OpenSSL with the example contents: [skidakid] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid Add to the openssl command for creating a cert signed by a CA step 3 the following options: -extfile -extensions skidakid anywhere before the redirect. This will add the cert's public key hash as the Subject Key Identifier, and the signer's SKID as the Authentication Key ID. ***** To create a dsa cert ******************** 1) openssl dsaparam 512 > dsa512.param # creates group params 2) openssl gendsa dsa512.param > dsa512.pem # creates private key 3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem ***** To convert from PEM to DER ************** a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER to convert rsa private PEM to DER : b) openssl rsa -in key.pem -outform DER -out key.der **** To encrypt rsa key already in pem ********** a) openssl rsa server-keyEnc.pem note location of des, pass = yassl123 *** To make a public key from a private key ****** openssl rsa -in 1024rsa.priv -pubout -out 1024rsa.pub **** To convert to pkcs8 ******* openssl pkcs8 -nocrypt -topk8 -in server-key.pem -out server-keyPkcs8.pem **** To convert to pkcs8 encrypted ******* openssl pkcs8 -topk8 -in server-key.pem -out server-keyPkcs8Enc.pem passwd: yassl123 to use PKCS#5 v2 instead of v1.5 which is default add -v2 des3 # file Pkcs8Enc2 to use PKCS#12 instead use -v1 which a 12 algo like -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default **** To convert from pkcs8 to traditional **** openssl pkcs8 -nocrypt -in server-keyPkcs8.pem -out server-key.pem *** DH parameters *** openssl dhparam 2048 > dh2048.param to add metadata openssl dhparam -in dh2048.param -text > dh2048.pem **** ECC ****** 1) make a key to see types available do openssl ecparam -list_curves make a new key openssl ecparam -genkey -text -name secp256r1 -out ecc-key.pem convert to compressed openssl ec -in ecc-key.pem -conv_form compressed -out ecc-key-comp.pem *** CRL *** 1) create a crl a) openssl ca -gencrl -crldays 120 -out crl.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem Error No ./CA root/index.txt so: b) touch ./CA root/index.txt a) again Error No ./CA root/crlnumber so: c) touch ./CA root/crlnumber a) again Error unable to load CRL number d) add '01' to crlnumber file a) again 2) view crl file openssl crl -in crl.pem -text 3) revoke openssl ca -revoke server-cert.pem -keyfile ./ca-key.pem -cert ./ca-cert.pem Then regenerate crl with a) 4) verify openssl verify -CAfile ./ca-cert.pem ./server-cert.pem OK Make file with both ca and crl cat ca-cert.pem crl.pem > ca-crl.pem openssl verify -CAfile ./ca-crl.pem -crl_check ./ca-cert.pem revoked