 |
|
OpenSSL
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. For instance, it can be used for- Creation and management of private keys, public keys and parameters
- Public key cryptographic operations
- Creation of X.509 certificates, CSRs and CRLs
- Handling of S/MIME signed or encrypted mail
General OpenSSL Commands
- Generate RSA-Key
openssl genrsa -aes256 -out key.pem 2048
- Show RSA-Key
openssl rsa -in key.pem -text
- Store a key encrypted with a passphrase (for example with aes256)
openssl rsa -aes256 -in key.pem -out key_encrypted.pem
- Remove a passphrase from a private key
openssl rsa -in key.pem -out key_without_passphrase.pem
- Convert DER to PEM
openssl x509 -in certificate.crt -inform DER -out certificate.crt -outform PEM
- Generate a random number
openssl rand -out /etc/ssl/private/.rand 1000000
Check Information with OpenSSL
Check the information within a Certificate, CSR or Private Key.- Check a Certificate Signing Request (CSR) - (.csr or .pem)
openssl req -text -noout -verify -in CSR.csr
- Check a private key
openssl rsa -in privateKey.key -check
- Check a certificate
openssl x509 -in certificate.crt -text -noout
- Verify a certificate chain (with the certificate and a CA file)
openssl verify -verbose -CAfile cacert.pem newcert.pem
- Check a PKCS file (.pfx or .p12)
openssl pkcs12 -info -in keyStore.p12
Create Certificate Signing Request for a Server at GSI (PKCS)
To Create a CSR you can use the follwing command:- Generate a CSR and a RSA-Key
openssl req -newkey rsa:2048 -keyout key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
- Generate a new RSA-Key
openssl genrsa aes256 out key.pem 2048
- Generate a certificate signing request (CSR) for a server at GSI for an existing private key
openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>'
- Generate a certificate signing request (CSR) for a server at GSI for an existing private key and an Alternate Name (DNS)
openssl req -batch -sha256 -new -key key.pem -out request.pem -subj '/C=DE/ST=Hessen/L=Germany/O=GSI Helmholtzzentrum fuer Schwerionenforschung GmbH/OU=>Abteilung(optional)>/CN=<FQDN>/emailAddress=<EMailAdress of ServerAdministrator>' -addext "subjectAltName = DNS:<AlternativeName>.gsi.de"
Create and work with PKCS files (.pfx or .p12)
- Convert a PEM certificate file and a private key to PKCS
openssl pkcs12 -export -inkey privateKey.key -in certificate.crt -certfile CACert.crt -out certificate.p12
Links
-- IlonaNeis - 2018-02-07Edit | Attach | Print version | History: r7 < r6 < r5 < r4 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r7 - 2023-03-21, ChristianWolbert
- This page was cached on 2024-11-19 - 18:03.
- User Reference
- BeginnersStartHere
- EditingShorthand
- Macros
- MacrosQuickReference
- FormattedSearch
- QuerySearch
- DocumentGraphics
- SkinBrowser
- InstalledPlugins
- Admin Maintenance
- Reference Manual
- AdminToolsCategory
- InterWikis
- ManagingWebs
- SiteTools
- DefaultPreferences
- WebPreferences
- Categories
Aikido
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding GSI Wiki? Send feedback | Legal notice | Privacy Policy (german)