OpenSSL: OpenSSL Management
How-To: OpenSSL
30th November 2023
OpenSSL is an effective tool for generating all kinds of keys and certificates. The CLI commands are however impossible to remember. This is my OpenSSL Cheat Sheet.
Create a CSR on a Linux machine
Modify the OpenSSL configuration file
OpenSSL comes pre-installed on most Linux machines, but the configuration file needs a little tweaking.
Edit /etc/ssl/openssl.cnf
nano /etc/ssl/openssl.cnf
Find each section and edit them accordingly:
[ req ]
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
# Add this to the bottom of the file:
[ alt_names ]
DNS.1 = nas.bastuklubben.online
IP.1 = 2001:DB8:1234:A010::A
IP.2 = 10.10.1.10Note: alt_names are SAN entries. Remember to update them between certificate requests.
My Recommendation is also to enter default values for the distinguished names so you don’t have to type them every time:
[ req_distinguished_name ]
countryName_default = NO
stateOrProvinceName_default = My_Province
localityName_default = My_Town
0.organizationName_default = Bastuklubben
organizationalUnitName_default = ITRun the openssl req command
Basic RSA CSR request
openssl req -new -newkey rsa:4096 -keyout nas.key -out nas.csr -nodes
Use a Custom configuration file:
openssl req -new -config dnac_ssl.cnf -newkey rsa:4096 -keyout dnac.key -out dnac.csr -nodes
To verify the certificate request:
openssl req -noout -text -in nas.csr
ECDSA CSR request
Source: https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/
To create a ECDSA private key with your CSR, you need to invoke a second OpenSSL utility to generate the parameters for the ECDSA key. This OpenSSL command will generate a parameter file for a NIST 256-bit ECDSA key:
openssl genpkey -genparam -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ECPARAM-P256.pem
Now, specify your parameter file when generating the CSR:
openssl req -newkey ec:ECPARAM-P256.pem -keyout nas.key -out nas.csr
EDDSA CSR request
Source: https://blog.pinterjann.is/ed25519-certificates.html
Alright, let's create a TLS certificate with one of Bernstein's safe curves. We can generate a X.509 certificate using ED25519 (or ED448) as our public-key algorithm by first computing the private key:
openssl genpkey -algorithm ED25519 > nas.key
Afterwards we can create a PKCS#10 Certificate Signing Request:
openssl req -new -out nas.csr -key nas.key
Note: You might struggle finding a webbrowser that supports EDDSA algorithms today.
Verify Certificates
Verify certificate file
Required .pem format without password.
openssl req -noout -text -in SAUNA-PUB.pem
Verify SSL webpage
openssl s_client -showcerts -verify 1 -connect nextcloud.bastuklubben.online:443
Install Certificates on Ubuntu
Install webcertificate
Put the certificate and the key in correct folders:
sudo cp WIL-NMS.pem /etc/ssl/certs/nms.pem
sudo cp WIL-NMS.key /etc/ssl/private/nms.key
Update services:
sudo update-ca-certificates
Update the webservice with the new certificate
If it’s a apache webserver, update the configuration where to find the certificate:
nano /etc/apache2/sites-available/librenms.conf
SSLCertificateFile /etc/ssl/certs/nms.cer
SSLCertificateKeyFile /etc/ssl/private/nms.keysudo service apache2 restart
Install CA certificate on Ubuntu
Put CA certificates under /usr/local/share/ca-certificates in .crt format
sudo cp bastuklubben-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
CA certificates can then be found under /etc/ssl/certs/
Conversions
Convert CER to PEM
openssl x509 -in SAUNA-NMS.cer -outform PEM -out SAUNA-NMS.pem
Convert KEY to PEM
openssl rsa -in private.key -text > privatekey.pem
Convert P7B to PEM
openssl pkcs7 -in Bastuklubben_Chain.p7b -inform DER -print_certs -out Bastuklubben_Chain.pem
Convert CRT to PEM
openssl x509 -in DER -outform PEM -in bastuklubben-CA.crt -out bastuklubben-CA.pem
Convert PFX/P12 to PEM
PFX contains both certificate and key. You need to separate them:
convert the .pfx without the keys:openssl pkcs12 -in SAUNA-NMS.pfx -out SAUNA-NMS.pem -nokeys
convert the same certificate including the keys:
openssl pkcs12 -in SAUNA-NMS.pfx -out SAUNA-NMS-withkey.pem
Key extraction:
RSA Key:openssl rsa -in SAUNA-NMS-withkey.pem -out SAUNA-NMS.key
ECDSA Key:openssl ec -in SAUNA-NMS-withkey.pem -out SAUNA-NMS.key
EdDSA Key:openssl pkey -in SAUNA-NMS-withkey.pem -out SAUNA-NMS.key
Combine the files into one .pem file (basically back to square 1):
cat SAUNA-NMS.pem SAUNA-NMS.key > SAUNA-NMS-withkey.pem
Other OpenSSL commands
Generate a random hex string
openssl rand -hex 32
[root@sauna-ipa ~]# openssl rand -hex 32
8d35d5bb19fd7fe41ce1b4a0f306566d69773b1471198fc79c83029b4748bda0