OpenSSL cheat sheet

This is my old site that I'm keeping up for historical purposes and is no longer updated. You probably want to see my new site.

·End-user Functions
  ·Create Certificate Request/Unsigned Key
  ·Fingerprint for Unsigned Certificate
  ·Generate Key
  ·Display Certificate Information
  ·Creating a PEM File for Servers
  ·Creating PKCS12-format File
  ·Signing E-mails
·Certificate Authority Functions
  ·Create CA Certificate
  ·Export CA Certificate in DER Format
  ·Revoke Certificate
  ·Generate Certificate Revokation List
  ·Sign Certificate Request
  ·Create Diffie-Hoffman Parameters for Current CA
  ·Creating Self-Signed Certificate from Generated Key
·Command-line Tricks
  ·Simple file encryption
  ·Simple file decryption

End-user Functions

Create Certificate Request/Unsigned Key

openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem

blah.key.pem will act as a SSLCertificateKeyFile for Apache

Fingerprint for Unsigned Certificate

openssl x509 -subject -dates -fingerprint -in blah.key.pem

Generate Key

openssl genrsa -out blah.key.pem

Display Certificate Information

openssl x509 -in blah.crt.pem -noout -text

Creating a PEM File for Servers

cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem

Creating PKCS12-format File

openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates"

Signing E-mails

openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem

Certificate Authority Functions

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA Certificate

openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650

Export CA Certificate in DER Format

openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt

Used by web browsers

Revoke Certificate

openssl ca -revoke blah.crt.pem

Generate Certificate Revokation List

openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl

Sign Certificate Request

openssl ca -out blah.crt.pem -in blah.req.pem

blah.crt.pem acts as SSLCertificateFile for Apaache

Create Diffie-Hoffman Parameters for Current CA

openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536

Creating Self-Signed Certificate from Generated Key

openssl req -new -x509 -key blah.key.pem -out blah.crt.pem

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line Tricks

Simple file encryption

openssl enc -bf -A -in file_to_encrypt.txt

(password will be prompted)

Simple file decryption

openssl enc -bf -d -A -in file_to_encrypt.txt

Backlinks:
Linux Notes Open SSL cheat sheet