Month: July 2023

Create a new SSL key with 4096 bit size (highly recommended):

openssl genrsa -out website.key 4096

Create the CSR so you can send it to your SSL certificate provider to create a certificate your you (don’t forget –sha256, also highly recommended for security):

openssl req -new -key website.key -out website.csr -sha256

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:website    
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:website.tld
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As you can see, not all parts are required to fill in when creating a CSR file.

To examine a generated key file for example the key size enter the following:

openssl rsa -in website.key -check -text

You will get result like this:

Private-Key: (2048 bit)
modulus:
    <cut>
publicExponent: 65537 (0x10001)
privateExponent:
    <cut>
prime1:
    <cut>
prime2:
    <cut>
exponent1:
    <cut>
exponent2:
    <cut>
coefficient:
    <cut>
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
<cut>
-----END RSA PRIVATE KEY-----

To examine the content of a generated .csr file enter the following:

openssl req -text -noout -in website.csr

You will get information like this for example:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=country, ST=province, L=city, O=business name, CN=common name
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    <cut>
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:www.example.com, DNS:example.com
    Signature Algorithm: sha256WithRSAEncryption
        <cut>

To examine a signed certificate file in p7b format enter the following:

openssl pkcs7 -in certificate.p7b -text -print_certs

To examine a signed certificate file in .cer or .crt format enter the following:

openssl x509 -noout -text -in certificate.cer

To convert a .pfx certificate to a .pem file enter the following:

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

To convert a .p7b certificate to a .pem certificate enter the following:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

After this you can view the certificates with vi/less.

If you receive an error like below, you probably have a wrong format:

140536229615264:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7 

If the certificate in in DER format enter the following:

openssl pkcs7 -inform der -print_certs -in certificate.p7b -out certificate.pem

Sometimes you need a .pfx style certificate for whatever purpose, this is how you create it:

openssl pkcs12 -export -in website.cer -inkey website.key -out website.pfx

You will be asked for a password, this is recommended because otherwise the key can be abused without any effort if someone has found your .pfx file.

website.cer is an example, change it with your own file.