Openssl

From Wiki2
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

openssl

back to esp8266

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

in cd ../vhosts/somecerts/smallcerts/

Generate a Private Key and a CSR 

openssl req -newkey rsa:512 -nodes -keyout domain.key -out domain.csr

Generate a Self-Signed Certificate from an Existing Private Key 

openssl req -key domain.key -new -x509 -days 365 -out domain.crt

View CSR Entries 

openssl req -text -noout -verify -in domain.csr

View Certificate Entries 

openssl x509 -text -noout -in domain.crt

Verify a Certificate was Signed by a CA 

openssl verify -verbose -CAFile ca.crt domain.crt
from https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#
openssl genrsa -out fd.key 512                           //create private key (no pass)
openssl rsa -in fd.key -pubout -out fd-public.key        //to separate out the public key
openssl req -new -key fd.key -out fd.csr                 //create csr from key
openssl req -text -in fd.csr -noout                      //show your csr
openssl x509 -req -days 365 -in fd.csr -signkey fd.key -out fd.crt          // create a cert w/o questions
openssl x509 -text -in fd.crt -noout                     //view the cert
openssl x509 -text -noout -in fd.crt -fingerprint        //GET A CERTS FINGERPRINT

Ciphers 

openssl ciphers -v 'ALL:COMPLEMENTOFALL'                 //list available

https://engineering.circle.com/https-authorized-certs-with-node-js-315e548354a2#.3atvisjhz

vis a vis letsencrypt

your key file will be privkey.pem
your cert file will be cert.pem
your ca file will be chain.pem or fullchain.pem ( depending exactly what you need )

creating a certificate signing authority ca (and cert and key)

https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html

Acting as a certificate authority (CA) means dealing with cryptographic pairs of private keys and public certificates. The very first cryptographic pair we’ll create is the root pair. This consists of the root key (ca.key.pem) and root certificate (ca.cert.pem). This pair forms the identity of your CA.

in C:\wamp\vhosts\somecerts\caSetup create root certificates 

 mkdir certs crl csr newcerts private
 touch index.txt
 echo 1000 > serial
put in a openssl.conf
openssl genrsa -aes256 -out private/ca.key.pem 4096 //pwd required 
openssl req -config openssl.conf -key private/ca.key.pem -new -x509 -days 12000 -sha256 -extensions v3_ca -out certs/ca.cert.pem //need privar pwd and Common Name hpTimCa
openssl x509 -noout -text -in certs/ca.cert.pem //verify root cert

create intermediate certs 

 cd intermediate
 mkdir certs crl csr newcerts private
 touch index.txt
 echo 1000 > serial
 echo 1000 > crlnumber
openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096 //same pwd
openssl req -config intermediate/openssl.conf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.conf -extensions v3_intermediate_ca -days 10900 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem //verify
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem //verify against root
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
openssl genrsa -out intermediate/private/sslvh.tm.key.pem 2048 //omitting aes256 creates a key without a password
openssl req -config intermediate/openssl.conf -key intermediate/private/sslvh.tm.key.pem -new -sha256 -out intermediate/csr/sslvh.tm.csr.pem
openssl ca -config intermediate/openssl.conf -extensions server_cert -days 9000 -notext -md sha256 -in intermediate/csr/sslvh.tm.csr.pem -out intermediate/certs/sslvh.tm.cert.pem
openssl x509 -noout -text -in intermediate/certs/sslvh.tm.cert.pem
openssl x509 -text -noout -in sslvh.tm.cert.pem -fingerprint

The Issuer is the intermediate CA. The Subject refers to the certificate itself. 

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/sslvh.tm.cert.pem

You can now either deploy your new certificate to a server, or distribute the certificate to a client. When deploying to a server application (eg, Apache), you need to make the following files available:

C:\wamp\vhosts\somecerts\caSetup\intermediate\certs\ca-chain.cert.pem
C:\wamp\vhosts\somecerts\caSetup\intermediate\private\sslvh.tm.key.pem
C:\wamp\vhosts\somecerts\caSetup\intermediate\certs\sslvh.tm.cert.pem

you could but I didn't create a certifice revocation lis CRL

Retrieved from "https://wiki2.sitebuilt.net/index.php?title=Openssl&oldid=8698"