OpenSSL

Create Certificates

Configuration file

An example of an OpenSSL configuration file:

ca.conf

[ ca ]
default_ca = ca_default

[ ca_default ]
dir = ./
certs = $dir
new_certs_dir = $dir
database = ca-db-index
serial = ca-db-serial
crlnumber = ca-db-crlnumber
RANDFILE = ca-db-rand
certificate = ca-cert.pem
private_key = ca-key.pem
default_days = 365
default_crl_days = 365
default_md = sha1
preserve = no
policy = generic_policy

[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=email:foo@fredrik.se

Create CA

  • touch ca-db-index
  • echo 01 > ca-db-serial
  • echo 01 > ca-db-crlnumber
Create CA
  • openssl req -nodes -x509 -newkey rsa:2048 -days 1825 -keyout ca-key.pem -out ca-cert.pem
​​Create RSA Certificate
  • openssl req -nodes -new -newkey rsa:2048 -keyout server-key.pem -out server.csr
  • openssl ca -config ca.conf -extfile v3.ext -days 1825 -in server.csr -out server-cert.pem
Create ECDSA CA
  • openssl ecparam -name secp384r1 -genkey -noout -out ca-key.pem
  • openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650 -sha384
​​Create ECDSA Certificate
  • openssl ecparam -name secp384r1 -genkey -noout -out secp384r1-key.pem
  • openssl req -new -key secp384r1-key.pem -nodes -days 1825 -out server.csr
  • openssl ca -config ca.conf -extfile v3.ext -days 1825 -in server.csr -md sha384 -out server-cert.pem

Convert from PEM to DER

  • openssl x509 -in server-cert.pem -out server-cert.cer -outform DER

Create PKCS12 file

  • openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -inkey server-key.pem -in server-cert.pem -CAfile ca-cert.pem -out server.p12​

CRL

Create CRL

  • openssl ca -config ca.conf -gencrl -keyfile ca-key.pem -cert ca-cert.pem -out my_crl.pem
​​Revoke certificates
  • openssl ca -config ca.conf -revoke cert file to revoke
NOTE! Re-run Create CRL from above to generate the new CRL file
Convert CRL from PEM to DER
  • openssl crl -in my_crl.pem -out my_crl.der -outform DER

Convert PKCS12 to work in FIPS mode

Convert to PEM: openssl pkcs12 -in cert.p12 -out cert.pem

Convert back to PKCS12: openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in cert.pem -out cert.p12

For more information, please see http://www.openssl.org