OSHIM's Blog: How to generate SSL key in pem format

Monday, June 20, 2011

How to generate SSL key in pem format

Make a new ssl private key:
- Generate a new unencrypted rsa private key in PEM format:
```
openssl genrsa -out privkey.pem 1024
```
  You can create an encrypted key by adding the -des3 option.
To make a self-signed certificate:
- Create a certificate signing request (CSR) using your rsa private key:
```
openssl req -new -key privkey.pem -out certreq.csr
```
  ( This is also the type of CSR you would create to send to a root CA for them to sign for you. )
- Self-sign your CSR with your own private key:
```
openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.pem -out newcert.pem
```
To make a certificate signed by your own certificate authority (CA):
- Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
```
vi /etc/ssl/openssl.cnf
    /usr/lib/ssl/misc/CA.pl -newca
```
  Your copy of openssl.cnf and CA.pl may be located elsewhere.
- Create an unsigned certificate using your rsa private key:
```
openssl req -new -x509 -key privkey.pem -out cert.pem
```
- Use your private key and your certificate to make a CSR:
```
cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
```
- Sign the certificate with the CA private key using the CSR you just made:
```
openssl ca -in certreq.csr -out newcert.pem
    rm -f certreq.csr
```
To install the signed certificate and private key for use by an ssl server:
- The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
```
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
    ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0   # dot-zero
```
  ( The server.pem is a PEM file that can be used by apache along with the hash file. )
You can view the contents of a CSR with:
```
openssl req -noout -text -in certreq.csr
```
You can view the contents of a certificate with:
```
openssl x509 -noout -text -in newcert.pem
```
You can display the MD5 fingerprint of a certificate with:
```
openssl x509 -fingerprint -noout -in newcert.pem
```
You can verify that your private key, CSR, and signed cert match by comparing:
```
openssl rsa -noout -modulus -in privkey.pem |openssl md5
openssl req -noout -modulus -in certreq.csr |openssl md5
openssl x509 -noout -modulus -in newcert.pem |openssl md5
```

Pages

OSHIM's Blog

Monday, June 20, 2011

How to generate SSL key in pem format

Make a new ssl private key:

To make a self-signed certificate:

To make a certificate signed by your own certificate authority (CA):

To install the signed certificate and private key for use by an ssl server:

0 comments:

Post a Comment

About Me

My Résumé

TVI Express

Yahoo!

Career Inventory Test Results

Labels

Blog Archive

Followers

Country Flag

Live Traffic