OpenSSL HOWTO
Intro
Written the 12/12/2010, translated the 01/05/2015.
OpenSSL is the ultimate tool to encrypt, decrypt, authenticate files, text...
Why SSL Certificates
Even if a communication is encrypted, you might not be sure of your correspondent identity.
It's where Certificate Authorities are used. Those CA own a private key they use to validate certificates you can issue.
As a result, you'll get a personal certificate (with your private key) signed by a trusted authority.
On Firefox, you can see root certificates (CA) under
Tools / Options / Advanced / Display certificates / Authorities
Generating certificates
Private key
Use the following command :
openssl genrsa -des3 -out privatekey.pem 1024
genrsa
: is the command to generate a keydes3
: is the type of the key (DES)out
: followed by a filename1024
: the size of the key. Default is 512.
OpenSSL will propose to encrypt the key with a passphrase.
You can display your generated key with :
openssl rsa -in privatekey.pem
Certificate Authority generation
Issue the CA certificate with the following command :
openssl req -new -x509 -days 3650 -key privatekey.pem -out cacert.crt
Fill the form (country, name, email...).
req
: summon certificate generatornew
: new certificate requestx509
: create self-signed certificate instead of a request (what clients send to CA)days
: number of days the certificate is validkey
: which private key to useout
: the filename of the certificate
Certificate request
Quite the same command in the previous section but without x509
openssl req -new -days 3650 -key mysecondprivatekey.pem -out mycert.csr
Signing a certificate
openssl x509 -req -in mycert.csr -out mycert.crt -CA cacert.crt -CAkey privatekey.pem -CAcreateserial -days 3650
x509
: summon certificate managerCA
: Certificate issued by the AuthorityCAkey
: CA's private keyCAcreateserial
: creates a serial