====== OpenSSL Commands ======
The most tasks can be done using the ''%%gen-webserver-key.pl%%'' perl script. This creates all wannted files to request a certificate or to create a self signed certificate.
The usage is very simple:
Just execute ''%%perl gen-webserver-key.pl --help%%'':
gen-webserver-key.pl --host|-h [ --privat|-p ] [ --bits|-k ]
[ --sha|-s ] [ --java|-j ] [ --interactive|-i ] [ --verbose|-v ] [ --preview ] [ --email|-e ]
or
gen-webserver-key.pl --useold|-o [ -p ]
gen-webserver-key.pl --viewcsr
gen-webserver-key.pl --viewkey
gen-webserver-key.pl --viewcrt
gen-webserver-key.pl --privat [ --java ]
gen-webserver-key.pl --cisco [ --rootca ] [ --interca ]
gen-webserver-key.pl --ldap [ --privat ]
gen-webserver-key.pl --cacert
gen-webserver-key.pl --pemca
gen-webserver-key.pl --domain|-d
gen-webserver-key.pl --combine
gen-webserver-key.pl --convert|-c
--viewcrt => Just view the content of signed certificate
--viewkey => Just view the content of ssl key file
--viewcrs => Just view the content of the unsigned server certificate
--useold => Generate a privat cert or official cert request using the old key
--privat => just creates a privat certification from existing privat key, if -p option given, the cert is privat!
--domain => overwrites the example.com default
--java => generates the PKCS12 encoded file for java keystores
--interactive => enables interactive mode, password and all certificate request data must be entered
--cisco => Generate the CISCO specific PKCS12 file, you must first generate the certificate request
--ldap => Creates the need certs for ldap server setup (in PEM format)
--cacert => Creates the cacert after cert request (needed, if not a privat certificat was requested for PEM, ldap)
--pemca => Creates the pem CA certificate file for openssl connections (opensll s_client ...), only for private certs!
--combine => Just combines the crt (PEM) and the key file to one chain.pem file.
-k => Default is '2048'
--sha => SHA encryption algorithm, default is (sha1), possible values [sha sha1 sha224 sha256 sha384 sha512].
Note: Password for all certs is 'password'
Note: For F5 certificates, standard key and crt (PEM) are OK, the password is 'password' to load it in F5
**Important note:** Beginning from 2016 the certificate requests must be encrypted with sha256 algorithm, see the ''%%--sha%%'' option in script!
===== Certificat generation =====
==== Generate a new private key and certificate signing Request ====
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
==== Generate a self-signed certificate ====
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
==== Generate a certificate signing request (CSR) for an existing private key ====
openssl req -out CSR.csr -key privateKey.key -new
==== Generate a certificate signing request based on an existing certificate ====
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
==== Remove a passphrase from a private key ====
openssl rsa -in privateKey.pem -out newPrivateKey.pem
===== Checking using OpenSSL =====
If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
==== Check a certificate signing request (CSR) ====
openssl req -text -noout -verify -in CSR.csr
==== Check a private key ====
openssl rsa -in privateKey.key -check
==== Check a certificate ====
openssl x509 -in certificate.crt -text -noout
==== Check a PKCS#12 file (.pfx or .p12) ====
openssl pkcs12 -info -in keyStore.p12
==== Check start and end dates ====
openssl s_client -host -port 2>/dev/null| openssl x509 -noout -dates
===== Debugging using OpenSSL =====
If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
==== Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key ====
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
==== Check an SSL connection. All the certificates (including Intermediates) should be displayed ====
openssl s_client -connect www.paypal.com:443
===== Converting Using OpenSSL =====
These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.
==== Convert a DER file (.crt .cer .der) to PEM ====
openssl x509 -inform der -in certificate.cer -out certificate.pem
==== Convert a PEM file to DER ====
openssl x509 -outform der -in certificate.pem -out certificate.der
==== Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM ====
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add ''%%-nocerts%%'' to only output the private key or add ''%%-nokeys%%'' to only output the certificates.
==== Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) ====
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt