Skip to content

Instantly share code, notes, and snippets.

@jdmallen

jdmallen/openssl_command_examples.md

Last active October 17, 2023 12:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jdmallen/0f49039ce137d42ce4d712af204a9cb0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jdmallen/0f49039ce137d42ce4d712af204a9cb0 to your computer and use it in GitHub Desktop.
Download ZIP
Sample commands for OpenSSL, assuming you have an external openssl.cfg file to use (see other gist)
Raw
openssl_command_examples.md

Generate private RSA key with AES encryption

openssl genrsa -out .\path\to\my_cert_encrypted.key -aes256 4096

Generate private RSA key without encryption

openssl genrsa -out .\path\to\my_cert.key 4096

Decrypt private RSA key

openssl rsa -in .\path\to\my_cert.key -text > .\path\to\my_cert_decrypted.key

Verify RSA key

openssl rsa -noout -text -in .\path\to\my_cert.key

Extract public certificate from PFX/P12 file

openssl pkcs12 -in .\path\to\public_and_private.pfx -clcerts -nokeys > .\path\to\just_public.crt

Generate root certificate authority (CA) using config file

openssl req -new -x509 -days 7300 -sha256 -config openssl.cnf -extensions v3_ca -key .\path\to\root_ca.key -out .\path\to\root_ca.crt

Generate 2048-bit Diffie-Hellman parameters file

openssl dhparam -out dhparams.pem 2048

For each of the following tasks, first generate the RSA with "openssl req", then the object you wish to create with the second command (CA or x509 cert).

Generate intermediate certificate authority (ICA) using config file

openssl req -config openssl.cnf -new -sha256 -key .\path\to\my_ica.key -out .\path\to\my_ica.csr

openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in .\path\to\my_ica.csr -out .\path\to\my_ica.crt

Generate X509 server authentication certificate using config file

openssl req -new -config openssl.cnf -extensions server_cert -key .\path\to\www.myfakesite.com.key -out .\path\to\www.myfakesite.com.csr

openssl x509 -req -in .\path\to\www.myfakesite.com.csr -CA .\path\to\my_ica.crt -CAkey .\path\to\my_ica.key -CAcreateserial -days 1826 -sha256 -extfile openssl.cnf -extensions server_cert -out .\path\to\www.myfakesite.com.crt -addtrust serverAuth

Generate X509 client authentication certificate using config file

openssl req -new -config openssl.cnf -extensions usr_cert -key .\path\to\my_client_cert.key -out .\path\to\my_client_cert.csr

openssl x509 -req -in .\path\to\my_client_cert.csr -CA .\path\to\my_ica.crt -CAkey .\path\to\my_ica.key -CAcreateserial -days 1826 -sha256 -extfile openssl.cnf -extensions usr_cert -out .\path\to\my_client_cert.crt -addtrust clientAuth

Generate X509 code signing certificate using config file

openssl req -new -config openssl.cnf -extensions code_signing_cert -key .\path\to\my_code_signing_cert.key -out .\path\to\my_code_signing_cert.csr

openssl x509 -req -in .\path\to\my_code_signing_cert.csr -CA .\path\to\my_ica.crt -CAkey .\path\to\my_ica.key -CAcreateserial -days 1826 -sha256 -extfile openssl.cnf -extensions code_signing_cert -out .\path\to\my_code_signing_cert.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment