Show Menu

OpenSSL JumpStart for private use, ex: LAN, private servers.

Create CA

Generate CA Private Key
openssl genrsa -out ca.key 4096
Self Sign CA (5 years)
openssl req -new -x509 -sha256 -days 1826 -key ca.key -out ca.crt

Create Certif­icate Request

Create a Private Key
openssl genrsa -out user.key 4096
Create a certif­icate request
openssl req -new -key user.key -out user.csr

Signing Requests

Process the request and get it signed by the CA
openssl x509 -req -days 730 -sha256 -in user.csr -CA ca.crt -CAkey ca.key -set_s­erial 01 -out user.crt
Sign using v3 extension file
openssl x509 -req -days 730 -sha256 -in user.csr -extfile v3.txt -CA ca.crt -CAkey ca.key -set_s­erial 01 -out user.crt

Create Extension File

basicC­ons­traints = CA:FALSE
keyUsage = digita­lSi­gna­ture, nonRep­udi­ation, keyEnc­iph­erment, dataEn­cip­herment
subjec­tAl­tName = @alt_names

DNS.1 = server­1.e­xam­
DNS.2 = mail.e­xam­
DNS.3 = www.ex­amp­
DNS.4 =­b.e­xam­
DNS.5 = mx.exa­mpl­
DNS.6 = suppor­t.e­xam­
IP.1 = 192.16­8.0.100
URI.1 = https:­//w­ww.m­ye­xam­
Put the code in a file, modify it to reflect your site needs and save it as: v3.txt

Checking Certif­icates

Dump the Certif­icate
openssl x509 -in user.crt -text -noout
Check Purpose
openssl x509 -purpose -in user.crt -inform PEM
Inspect Certif­icate Request
openssl req -text -noout -verify -in user.csr

Export Certif­icate

Export as PKCS12 (PFX)
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
Export as PKCS12 with including CA public key
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt
Export as PKCS7 (P7B)
openssl crl2pkcs7 -nocrl -certfile user.crt -out certif­ica­te.p7b
Convert PFX to PEM
openssl pkcs12 -in user.pfx -out user.crt -nodes
While converting PFX to PEM format, openssl will put all the Certif­icates and Private Key into a single file.
You will need to open the file in Text editor and copy each Certif­icate & Private key (including the BEGIN/END statem­ents)
to its own individual text file and save them as certif­ica­te.cer, CAcert.cer, privat­eKe­y.key respec­tively.


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          JAVA keytool Cheat Sheet
          OpenSSL Cheat Sheet

          More Cheat Sheets by RomelSan

          Nmap Basics Cheat Sheet
          Robocopy Cheat Sheet