OpenSSL Certificate Commands & Examples
Below script creates al selfgesigned certificate from a private key and removes the password from the key so you can you can use the key-pair in Apache.
# Create Key and Certificate Signing Request (option -des3 creates a triple des encrypted key)... openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr # Remove password from key and sign certificate with key... cp server.key server.key.org openssl rsa -in server.key.org -out server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt # Re-encrypt private key... openssl rsa -des -in server.key.org -out server.key openssl rsa -aes256 -in server.key.org -out server.key
For ease you can add all key and signing options to a config file. This way you can also add a subjectAlternate to the certificate.
>openssl req -new -config server.cnf -key server.key -out server.csr # server.cnf # [ req ] default_bits = 4096 prompt = no encrypt_key = no distinguished_name = dn req_extensions = req_ext [ dn ] C = NL O = Totietoot CN = examplefqdn.totietoot.nl [ req_ext ] subjectAltName = DNS:examplefqdn.totietoot.nl, DNS:examplealtname.totietoot.nl
Use the following command to convert the key-pair to pkcs12 format.
openssl pkcs12 -export -in server.crt -inkey server.key [-name tomcat] -out server.p12 -CAfile chain.pem -caname root -chain
Convert pkcs12 file to java keystore (jks):
keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass <password> -alias <name>
Decode a certificate request or a x509 certificate:
openssl req -in server.csr -noout -text
openssl x509 -in server.crt -noout -text
Convert a PFX file to PEM-format (single file)…
openssl pkcs12 -in server.pfx -out key-n-certs.pem -nodes
Check certificate and connection using openssl…
openssl s_client -showcerts -connect f.q.d.n:1234 openssl s_client -starttls smtp -showcerts -connect f.q.d.n:25 -servername f.q.d.n
Convert certificate (PEM) to public key…
openssl x509 -inform pem -in certificate.cer -pubkey -noout > pubkey.pem
Add a (CA) certificate to the JAVA CACerts certificate truststore…
"C:\Java\jdk1.8.0_121\bin\keytool" -import -alias ADCERT-CA-1 -keystore "C:\Java\jdk1.8.0_121\jre\lib\security\cacerts" -trustcacerts -file ADCERT-CA-1.cer