Use OpenSSL To Generate Key Pairs
PEM and CER are supported by OpenSSL by default.
- Use OpenSSL To Generate Key Pairs
- Generate Key Pairs
- Print out the public key
- SSL/TLS Certificate
- Create a CSR - Certificate Signing Request
- Create A Self-signed Certificate
- Create Self-signed Certificate from a CSR (Certificate Signing Request)
- Get Certificate Hash
- Convert certificate From/To PKCS #12 Format
- View Certificate in Human Readable Format
- Encrypt / Decrypt Private Key
- View Certificate Signer
- Verify a Certificate matches a private key
- Revoke Certificate
- HTTP over TLS for Apache HTTP Server (HTTPS)
- Reference
Generate Key Pairs
Use Case: Use openssl to generate a RSA key pair with a 4096 bit long private key encrypted by AES 256 bits
genrsa
SYNOPSIS
openssl genrsa [-out filename] [-passout arg] [-des] [-des3] [-idea] [-f4] [-3] [-rand file(s)] [-engine id] [numbits]
-des|-des3|-idea
These options encrypt the private key with the DES, triple DES, or the IDEA ciphers respectively before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.
numbits
the size of the private key to generate in bits. This must be the last option specified. The default is 512.
Example
generate 4096 bit long private key protected by password, encrypted by AES 256 bits
$ openssl genrsa -out key.pem -aes256 4096 Generating RSA private key, 4096 bit long modulus .......................................................++ ......................................................................................................................................................++ e is 65537 (0x10001) Enter pass phrase for key.pem: Verifying - Enter pass phrase for key.pem:
No password protected
openssl genrsa -out key.pem 4096
NOTE: genrsa is superseded by genpkey
genpkey
SYNOPSIS
openssl genpkey [-out filename] [-outform PEM|DER] [-pass arg] [-cipher] [-engine id] [-paramfile file] [-algorithm alg] [-pkeyopt opt:value] [-genparam] [-text]
To do the same => generate a RSA key pair with a 4096 bit long private key encrypted by AES 256 bits
$ openssl genpkey -algorithm RSA -out key.pem -aes-256-cbc -pkeyopt rsa_keygen_bits:4096 ....++ .....................................................................................................................................++ Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
More examples
Generate an RSA private key using default parameters
openssl genpkey -algorithm RSA -out key.pem
Encrypt output private key using 128 bit AES and the passphrase "hello"
openssl genpkey -algorithm RSA -out key.pem -aes-128-cbc -pass pass:hello
Generate a 2048 bit RSA key using 3 as the public exponent
openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:3
Remove pass-phrase
# Backup the key - RSA
cp server.key{,.bak}
# Remove pass-phrase
openssl rsa -in server.key.secure -out server.key
Print out the public key
Output the public key to standard output
$ openssl rsa -in key.pem -pubout Enter pass phrase for key.pem: writing RSA key -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuZqaYQeJeQYh/gM0Vkyv wI3/Ed7D6tMcTLYDGjJOgPLPodV7axc7vAGxxBm2tw9wX0ySZsXTcP/2R2OiUCBc ASxjXyT57x+Vf6H4Hww0FWp5H2ObGBA0PwvAAvMIO+TALxeNKVvx6JZ3zf53QT+w OYQWGesKBDyt13mn7MgXRmeIfHvs98xGI278lTIO0/KXtxj+5VhqQZxvVU+5vlXo EreHobHrHs3MfVEbW3wxMs0V09wKpjiTSxLPoP3UDPnlwyaL93FYOkCnLo4UpD/U xqpriF3tso0/bJLPnyUJR4B9Ox7Fga6mqfkhYC15g4QToFC0gfH25xoprYJSjH2H kJ2cHeKcjZvOV7pZvWQDstQy6p4v0TuuZ7f3nT2S9VLIjHBuumaX0y+ZpTWil3E4 JYyn658ptiYFBVt2ahzAoFAMNBtQak7IKmjmO2t6YMM7Ov5l3c5YpsYaPNXuB/pk OU0zqQLgKmc4TFiVDO/oOdQrpyCuBFYUcug0yNx3y1K93FgFMNogAN9lLezsTitd edoKzKWbFSbD5lSpxMWE1ljrTJfshrrhtyc7Ak5UH/DcdsrjkXwJGppOlSk7Haj2 WHCUhcxLdCutDuaNEKW+G4O61i/tindHlWVHjBLWoMqmFzAXUy95sVNwX0HMtIDB muuwpaPIysYVDXW0ZH3UVbMCAwEAAQ== -----END PUBLIC KEY-----
Extracting the public key from a RSA key pair
openssl rsa -in key.pem -out public.pem -outform PEM -pubout
For example
$ openssl rsa -in key.pem -out public.pem -outform PEM -pubout Enter pass phrase for key.pem: writing RSA key
NOTE: -outform is optional because PEM is the default format.
Alternative
openssl rsa -in key.pem -pubout > public.pem
SSL/TLS Certificate
Create a CSR - Certificate Signing Request
openssl req -new -key key.pem -out cert.csr # HTTP over TLS for Apache # server.key is the key pair generated openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr
Now, cert.csr can be sent to the certificate authority, if they can handle files in PEM format. If not, use the extra argument '-outform' followed by the keyword for the format to use different format (CER).
Create A Self-signed Certificate
Self-sign the CSR
openssl req -new -x509 -key key.pem -out newcert.pem -days 3650 # Sign the CSR using own private key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.terry.im or subdomain.terry.im), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
NOTE: You may consider removing the pass-phrase for the private key (key pair) in a test environment, otherwise you'll have to input the pass-phrase every time you start/restart the server.
Create Self-signed Certificate from a CSR (Certificate Signing Request)
openssl req -new -x509 -in cert.csr -key key.pem -out newcert.pem -days 3650
When asked for "YOUR name" in these dialogs you enter the full domain name(ie www.terry.im or subdomain.terry.im), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.
Get Certificate Hash
openssl x509 -noout -hash -in newcert.pem
Convert certificate From/To PKCS #12 Format
openssl pkcs12 -export -in newcert.pem -inkey key.pem -out newcert.p12
PCSK 12 to PEM
openssl pkcs12 -in newcert.p12 -out newcert.pem -nodes -clcerts
View Certificate in Human Readable Format
PEM format
openssl x509 -text -noout -in newcert.pem
PKCS 12 format
openssl pkcs12 -info -nodes -in newcert.p12
Encrypt / Decrypt Private Key
Encrypted private key will prompt for password when being used
Encrypt
openssl rsa -aes256 -in unencrypted_key.pem -out encrypted_key.pem
Decrypt
openssl rsa -aes256 -in encrypted_key.pem -out unencrypted_key.pem
View Certificate Signer
openssl x509 -in newcert.pem -noout -issuer -issuer_hash
Verify a Certificate matches a private key
openssl x509 -in newcert.pem -noout -modulus > cert.txt openssl rsa -in key.pem -noout -modulus > key.txt colordiff -c cert.txt key.txt rm cert.txt key.txt
Revoke Certificate
openssl -revoke newcert.pem
HTTP over TLS for Apache HTTP Server (HTTPS)
Self signed certificate - HOWTO (Apache)
/etc/apache2/conf.d/security (mod_ssl required) snippiet
SSLEngine on SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
Reference
http://www.openssl.org/docs/apps/genrsa.html
http://www.openssl.org/docs/apps/genpkey.html
http://forums.freebsd.org/showthread.php?t=6490
http://www.perturb.org/display/entry/754/