ealmr's wiki

User Tools

Site Tools

Trace: openssl
openssl

This is an old revision of the document!

Table of Contents

General commands

create root private key with password protected: 

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key

show private key info: 

openssl pkey -in root.key -text -noout

generate pub key: 

openssl pkey -in root.key -pubout -out root-public.key

sign root CA with new private key: 

openssl x509 -in root.crt -signkey root.key -days 3650

add self self signed to trust store: 

# save to /etc/ca-certificates/trust-source
sudo trust anchor <path to crt>

Sign fake domain

create private keys: 

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out intermediate.key 
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out domain.key

creating root CSR from existing root cert: 

openssl x509 -x509toreq -in "$ROOT_CRT" -out root.csr -signkey root.key -copy_extensions copyall

generate new root cert: 

openssl x509 -req -in root.csr -out root.crt -signkey root.key -days 3650 -copy_extensions copyall

creating CSRs from existing intermediate cert: 

openssl x509 -x509toreq -in "$INTER_CRT" -out intermediate.csr -signkey intermediate.key -copy_extensions copyall

resign intermediate certificate from CSR with root CA: 

openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate.crt -copy_extensions copyall -days 3650

creating CSRs from existing domain cert: 

openssl x509 -x509toreq -in "$DOMAIN_CRT" -out domain.csr -signkey domain.key -copy_extensions copyall

resign domain certificate from CSR with intermediate CA: 

openssl x509 -req -in domain.csr -CA new-intermediate.crt -CAkey intermediate.key -CAcreateserial -out domain.crt -copy_extensions copyall -days 3650

Create cert for IP

create config file req.cnf: 

[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
commonName = <IP adress>

[req_ext]
subjectAltName = IP:<IP address>

generate key: 

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ip.key

generate CSR: 

openssl req -new -key ip.key -out ip.csr -config req.cnfq

create cert: 

openssl x509 -req -days 3650 -in ip.csr -signkey ip.key -out ip.cert -extensions req_ext -extfile req.cnf
openssl.1719067239.txt.gz · Last modified: by A User Not Logged in
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki