OpenSSL is an useful utility for dealing with certificates and RSA keys. I frequently use it to generate & verify SSL certificates, generate public/private key pairs. This article provides some commonly used OpenSSL commands.
Generate RSA Key Pair
This command generates a 2048 bits private key.
openssl genrsa -out example.key 2048 Verify private and public key by comparing the output of the following 2 commands
ssh-keygen -yef id_rsa ssh-keygen -yef id_rsa.pub Generate Certificate Signing Request (CSR)
CSR is generated from your private key. Make sure you keep your private key well.
openssl req -out example.csr -key example.key -new Check Certificate Signing Request (CSR) Info
openssl req -in example.csr -noout -text Generate Self-signed SSL Cert
Both private key and CSR are needed to generate SSL cert. Choose an appropriate expiry date for your cert.
openssl x509 -req -days 3650 -in example.csr -signkey example.key -out example.crt Generate PKCS12 Cert From PEM Cert And Private Key
Note that the CA bundle file is needed for the certfile switch. certfile switch is optional.
openssl pkcs12 -export -out example.pfx -inkey example.key -in example.crt -certfile CACert.crt Generate PKCS7 Cert To PEM Cert
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem Check Certificate Information
This is referring to x509 certs, which is used by Apache for SSL.
openssl x509 -in example.crt -text View a certificate encoded in PKCS#7 format
openssl pkcs7 -print_certs -in example.p7b View a certificate and key pair encoded in PKCS#12 format
openssl pkcs12 -info -in example.pfx Verifying By Comparing Modulus
1 private key is used to generate both CSR and SSL cert. Therefore the private key, CSR, and SSL cert must use the same modulus. You can verify if a SSL cert is generated by a private key by comparing modulus.
Get hashed modulus of private key
openssl rsa -in example.key -noout -modulus | md5 Get hashed modulus of CSR
openssl req -in example.csr -noout -modulus | md5 Get hashed modulus of cert
openssl x509 -in example.crt -noout -modulus | md5