1 minute
Get into the correct directory:
cd /etc/pki/tls/certs
Generate key
openssl genrsa -des3 -out mike.key 4096
chmod 600 mike.key
Generate signing request
openssl req -new -key mike.key -out mike.csr
chmod 600 mike.csr
Get the CA to sign the request
openssl x509 -req -days 10000 -in mike.csr -out mike.cert \
-CA /etc/pki/tls/certs/army.ca/Army.ca_CA.cer \
-CAkey /etc/pki/tls/certs/army.ca/Army.ca_CA.key -CAcreateserial
openssl pkcs12 -export -in mike.cert -inkey mike.key -out mike.p12
Other OpenSSL Tricks
To strip the passphrase from a key (I.E. decrypt it)
openssl rsa -in mike.key -out mike-nopass.key
To display a cert's contents:
openssl x509 -text -in mike.cert
Create a PEM file with key and cert included:
cat mike-nopass.key mike.cert > mike.pem
Verify that a cert is ok to use as an HTTPS cert:
openssl verify -purpose sslserver -CAfile /etc/pki/CA/cacert.pem /etc/pki/CA/certs/Milnet_HTTP.crt
Creating a new CA
- cd /etc/pki/CA
- openssl req -config ../tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ArmyCA.key -out certs/ArmyCA.crt -days 5000
- chmod 400 private/ArmyCA.key
- cd private
- ln -s ArmyCA.key cakey.pem
- cd ..
- ln -s certs/ArmyCA.crt cacert.pem
- openssl req -config ../tls/openssl.cnf -new -nodes -keyout private/Milnet_HTTP.key -out Milnet_HTTP.csr -days 5000
- openssl ca -config ../tls/openssl.cnf -policy policy_anything -out certs/Milnet_HTTP.crt -infiles Milnet_HTTP.csr
- cat certs/Milnet_HTTP.crt private/Milnet_HTTP.key > private/Milnet_HTTP-key-cert.pem
- Log in to post comments