Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

Certificate-related notes

Generate

Generate a “CA” certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -extensions v3_ca -nodes -keyout ca.key -out ca.pem
This should result in a certificate with X509v3 Basic Constraints set to CA:TRUE.

Generate a self-signed certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.pem

Generate a PKCS#10 X.509 certificate signing request

Generate a private key:
openssl genrsa -out example.com.key 4096
Produce a corresponding CSR:
openssl req -new -key example.com.key -out example.com.csr
Review the CSR:
openssl req -in example.com.csr -noout -text

Generate a “CA”-signed certificate from a certificate signing request and “CA” certificate/key

openssl x509 -req -sha256 -days 365 -in example.com.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out example.com.pem

Display

Display in human-readable form the contents of a certificate in PEM format

openssl x509 -in example.com.pem -noout -text

Display in human-readable form the contents of a certificate in DER format

openssl x509 -in example.com.der -inform DER -noout -text

Display in human-readable form the contents of a certificate revocation list in DER format

openssl crl -in example.com.crl -inform DER -noout -text

Convert

Convert a PKCS#7 certificate into a X.509 certificate

openssl pkcs7 -print_certs -in example.com.p7p -out example.com.pem

Convert a certificate and private key into a PKCS#12 file

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.pem -certfile ca.pem
Email: www@flyn.org — ✉ 6110 Campfire Court; Columbia, Maryland 21045; USA