Table of Contents

Working with SSL Private Keys
- Generate unencrypted private key without password
- Generate(BATCH) encrypted private key with password from password file
Working with SSL CSR’s [.csr] (Certificate Signing Requests)
Working with SSL Certificates [.crt]
- Generate SSL Certificate from existing CSR and Key
- Check if existing SSL certificate matches existing Key file
Automation of different SSL related tasks
- Batch creation of SSL Key and Certificate

Usefull commands for generating SSL Keys, CSR’s and certificates using Openssl tool.

Working with SSL Private Keys

Generate unencrypted private key without password

# Key size: 2048
# Key file: self-ssl.ket
openssl genrsa  -out self-ssl.key  2048

Generate(BATCH) encrypted private key with password from password file

# Key encryption: AES256
# Key file      : self-ssl.key
# Password file : pass.txt
# Key size      : 2048 bits
openssl genrsa -aes256 -out self-ssl.key -passout file:pass.txt 2048

Working with SSL CSR’s [.csr] (Certificate Signing Requests)

Creating CSR.conf for CSR generation automation

Creating your own CSR config, allows you to predefine default values, field constraints and hints, which will be used later for CSR generation.

Also by having predefined default values, you can batch create your CSR with appropriate values

# vim csr.conf

[ req ]
default_bits = 4096
default_keyfile = self-ssl.key
distinguished_name = req_distinguished_name

dirstring_type = nobmp
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = BG
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Sofia

localityName = Locality Name (eg, city)
localityName_default = Sofia

organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = gryzli.info

organizationName = Organization Name (eg, company)
organizationName_default = SuperHosting.BG

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = gryzli.info


emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = none@example.com

asdasdad

Generate new CSR by using already existing key

# -nodes says there's no password on key
# existing.key - The already existing key file
# new.csr      - The name of the newly created CSR file
openssl req -nodes -new -key existing.key -out new.csr

Read existing CSR file

# existing.csr is the name of the CSR file you want to read
openssl req -text -noout -in existing.csr

Working with SSL Certificates [.crt]

Generate SSL Certificate from existing CSR and Key

# Existing csr: server.csr
# Existing key; server.key
# Newly generated certificate: server.crt
# Validity period: 365 days
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Check if existing SSL certificate matches existing Key file

# Get SSL cert modulus
openssl x509 -noout -modulus -in existing.crt

# Get Key modulus
openssl rsa -noout -modulus -in existing.key

Automation of different SSL related tasks

Batch creation of SSL Key and Certificate

This is a one-liner for creation of self-signed SSL key and SSL Certificate:

# Runs in unattended batch mode
# Key length is                 : 2048 bits
# Certificate validity period   : 365 days
# [-nodes]                      : No password protection for the key
# New key file                  : self-ssl.key
# New certificate file          : self-ssl.crt

openssl req -batch  -nodes -newkey rsa:2048 -x509 -days 365 -keyout self-ssl.key -out self-ssl.crt

“The worst page in the universe”