Disclaimer don't get the wrong idea about what you've found here

What appears below are my personal notes I wish were part of my long-term memory but don't always seem to fit. I strive for accuracy and clarity and appreciate feedback. If applying any of this information anywhere, confirm for youself the correctness of your work as what you see below might very well be, albeit unintentionally, incorrect or misleading. These notes are here as an easy reference for myself.

Information worthy of a more formal presentation will appear elsewhere than this "Scratch" area. - ksb

KSB's OpenSSL Command Line Notes

Table of Contents


RSA public/private key generation, encrypt and decrypt commands

Message Digest commands

Creating a 'mini' Certificate Authority and Generating Certificates

Here's how to create your very own 'mini' certificate authority (CA) and then generate certificates signed by that CA. ('mini' in that it doesn't have all the certificate management bells and whistles of a commercial CA tool. The certs created this way are just as valid and strong as those created with a 'real' CA.)

  1. First, acting as the admin for the CA, create the necessary files for being a CA:
    $ openssl req -x509 -out ca_cert.pem -newkey rsa:1024 -keyout ca_priv_key.pem -days 365

    This command will prompt you for a bunch of information (which could be read from a -config file) and then creates two files: ca_priv_key.pem to hold CA's private key and ca_cert.pem the CA's self-signed certificate. (This steps only needs to be done once per period defined by the -days arg.)

    req => The command used since you are, in effect, requesting a certificate.
    -x509 => Make this a self-signed certificate rather than an actual certificate request. We want this since we are creating a new root CA.
    -out ca_cert.pem => The file to write the CA's certificate to.
    -newkey rsa:1024 => Generate a new 1024-bit RSA key along with this this new certificate request. Since we aren't using a config file all DN information will be prompted for. To use an existing private key replace this with -new -key file.key.
    -keyout ca_priv_key.pem => The file to write the new CA private key to, (encrypted with promted for passphrase).
    -days 365 => Make this cert good for 365 days.

    To look at the cert just created in a human-readable format use the command:

    $ openssl x509 -in ca_cert.pem -text -noout
    x509 => Command to read/write x509 certificates.
    -in ca_cert.pem => The file holding the certificate.
    -text => Output the certificate in a human readable text format.
    -noout => Don't output the encoded form of the request.

    Note that the Issuer and the Subject are the same, and that in the X509v3 extensions section the Subject and Authority Key Identifiers are identical.

  2. Now, acting as normal person, generate a request for a certificate:
    $ openssl req -out ksb_cert_req.pem -new -keyout ksb_priv_key.pem

    This command will also promt you for a bunch of information (which could be read from a -config file) and then creates two files: ksb_priv_key.pem to hold the new user's private key and ksb_cert_req.pem to hold the request for the certificate.

    req => Command to read/write certificate requests.
    -out ksb_cert_req.pem => The file to write the certificate request to.
    -new => A new certificate is being requested so gather all the DN information (the absence of a -key file.key argument means a new private key will be generated too).
    -keyout ksb_priv_key.pem => The file to write the user private key to, (encrypted with promted for passphrase).

    If you want to look at the request use the command:

    $ openssl req -noout -text -verify -in ksb_cert_req.pem
    -noout => Don't output the encoded form of the request.
    -verify => Verify the request (by checking signature).
    -in ksb_cert_req.pem => The file to read the certificate request from.

  3. Now, as the CA again, issue the requested certificate:
    $ openssl x509 -req -in ksb_cert_req.pem -CA ca_cert.pem -CAkey ca_priv_key.pem -CAcreateserial -out ksb_cert.pem -days 365

    This command takes in the certificate request, all the CA information and creates a new certificate. You will be promted for the CA's private key's password to use when signing the new certificate.

    x509 => Using the Certificate display and signing utility to create a certificate.
    -req => We will be working with a certificate request rather than the default (for the x509 command) of working a certificate.
    -in ksb_cert_req.pem => The certificate request.
    -CA ca_cert.pem => The CA's self-signed certificate.
    -CAKey ca_priv_key.pem => The CA's private key to sign with.
    -CAcreateserial => Create the serial file (named after the CA's certificate file (ca.srl in this case) if it doesn't exist). The serial file is needed for unique serial numbers in created certificates.
    -out ksb_cert.pem => The file to write the new certificate to.
    -days 365 => Make this cert good for 365 days.

  4. Finally, create a PKCS12 file from the PEM certificate created above:
    $ openssl pkcs12 -export -in ksb_cert.pem -inkey ksb_priv_key.pem -out ksb_cert.p12 -name "ksb certificate"

    This command takes the certificate (ksb_cert.pem) and the private key (ksb_priv_key.pem) and creates a PKSC12 file containing the private key, and certificate information. You will be prompted for the passphrase used to encrypt the ksb_cert.pem file and then an export password for the ksb_cert.p12 file.

    pkcs12 => Command to read and write PKCS12 files.
    -export => We will be writing a PKSC12 file.
    -in ksb_cert.pem => The certificate file to put in the PKCS12 file.
    -inkey ksb_priv_key.pem => The private key to put in the PKCS12 file.
    -out ksb_cert.p12 => The file to write the PKCS12 certificate to.
    -name "ksb certificate" => The name (or alias, or friendlyName) to associate to with this certificate and private key in the PKCS1 file.

    To view the contents of a PKCS12 file use the following command:

    $ openssl pkcs12 -info -in ksb_cert.p12

    This will prompt you for an import password (which was the export password given when the .p12 file was created), it will also prompt you for an export password, but you can just ^D and abort the generation of the PEM output.

    Honestly, I'm confused here as to how to create a certificate that has just your cert (and possibly the chain of signing CAs) and not your private key. This looks like something that can't be done (with the openssl command line tool) so perhaps I'm misunderstanding something by wanting to do it. But this is exactly the information the .pem file has even though the .p12 file seems to always have your private key in it. This doesn't seem like something you'd distribute, even though the private key is encrypted.

At this point you can repeat steps 2, 3 and 4 to request and create new certificates.


Keith S. Beattie is responsible for this document, located at http://dst.lbl.gov/~ksb/Scratch/openssl.html, which is subject to LBNL's Privacy & Security Notice, Copyright Status and Disclaimers.

Last Modified: Monday, 25-Feb-2013 16:57:57 PST