===== Create a certificate request =====
==== Create a ECC key ====
Create a ECC private key using the prime256v1 algorithm ((https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm))
<code>openssl ecparam -out server.key -name prime256v1 -genkey</code>
using secp384r1
<code>openssl ecparam -out server.key -name prime256v1 -genkey</code>

Create CSR from key
<code>openssl req -new -nodes -key server.key -out $(hostname -f).csr\
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
-addext "subjectAltName=DNS:$(hostname -f)"</code>


One-liner for ECC key
<code>openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
-keyout $(hostname -f).key -out $(hostname -f).csr \
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
-addext "subjectAltName=DNS:$(hostname -f)"
</code>


==== Create a RSA key ====
<code>openssl req -new -nodes -keyout newkey.pem -out newreq.pem</code>

Create rsa key and csr
<code>openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \
-keyout example.com.key \
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \
-addext "subjectAltName=DNS:example.com"</code>

one liner for RSA key and csr using system FQDN
<code>openssl req -new -sha256 -nodes  -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \
-addext "subjectAltName=DNS:$(hostname -f)"
</code>


=====  get cert modulus and compare to private key ===== 
<code>
if [[ "$(openssl x509 -noout -in ${SIGNED_CERT}  -modulus)" !=  "$(openssl rsa -noout -in ${PRIVATE_KEY}  -modulus)" ]] ; then
echo "they don't match"
fi
</code>

=====pkcs12 =====
====Create pkcs12 ====
for a web browser from a certificate and it's key
<code>openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out chrome.p12</code>
If the private and public key are in the same file
<code>openssl pkcs12 -export -in mycert.CRT -out mycertoutput.p12</code>

====Convert pkcs12 to pem====
first extract the certificate
    openssl pkcs12 -in mycert.P12 -nodes -clcerts  -out cert

second, extract the key
    openssl pkcs12 -in mycert.P12 -nodes -nocerts -out key

Both into one file
  openssl pkcs12 -in mycert.P12 -nodes -out mycert.CRT



===== Create CRL =====
http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke
        openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/isd_crl.crl
        openssl ca -revoke CA/newcerts/F069A9B2CEE10A6E.pem -keyfile CA/private/cakey.pem  -cert CA/cacert.pem
        openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/my_crl.pem
To display the contents of a CRL certificate:
        openssl crl -in my_crl.pem -text

Convert a PEM formatted CRL to DER format for Firefox
openssl crl -in crl.pem -outform DER -out new_crl.der

===== Create a certificate hash =====
        openssl x509 -noout -subject_hash -in selfsigned.pem

=== Display ===
Display contents of a certificate file
    openssl x509 -in cacert.pem  -text
Display certificate request (CSR)
  openssl req -in cert.csr -text

===== openssl s_client =====
    view the details of what the server wants
    openssl s_client -connect example.com:443 -prexit
Using a client certificate
    openssl s_client -cert client.crt -key client.key -connect example.com:44
With certificate verification
    openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem

Retrieve just the RSA public key if the site has both ECDSA & RSA
    openssl s_client -sigalgs "RSA-PSS+SHA256"  -connect google.com:443
    to retrieve the EC cert use "ECDSA+SHA256" for sigalgs

For more examples of using signature algorithms see https://node-security.com/posts/openssl-testing-signature-algorithm/



wget and openssl s_client
wget --certificate=mycert.pem --private-key=mykey.pem --ca-certificate=cacert.pem  https://example.com --verbose



===== Encrypting using openssl =====
openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc


openssl enc -e -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc

openssl enc -d -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc

#Signing files
  date +%s > restore.txt
  #sign using rasutl
  openssl rsautl -sign -in restore.txt -inkey mykey.pem -out restore.sig
  
  #verify using rsautl
  openssl rsautl -verify -in restore.sig -inkey mycert.pem -certin
  
#smime - Sign and verify
openssl smime -sign -in restore.txt -text -out mail.msg -signer mycert.pem -inkey mykey.pem
openssl smime -verify -in mail.msg -CAfile cacert.pem -out signedtext.txt



openssl.cnf
Should change default_bits to 2048
change nsCertType to just client for client certificates
nsComment

=====index.txt format =====
mostly copied from http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html


Column 1 -- (V)erified, (E)xpired, and (R)evoked
First of all the format of index.txt is undocumented. Probably because
it might change sometime. Or it was a fast hack to get the demo
application running. Or something like that.

Having said this, it currently (openssl 0.9.8b) is a text database where
a tab separates the columns and newline separates the rows.

The columns are defined as
  #define DB_type         0 /* Status of the certificate */
  #define DB_exp_date     1 /* Expiry date */
  #define DB_rev_date     2 /* Revocation date */
  #define DB_serial       3       /* Serial No., index - unique */
  #define DB_file         4
  #define DB_name         5       /* DN, index - unique when active and  not disabled */
  
DB_type is defined as     
  #define DB_TYPE_REV    'R' /* Revoked */
  #define DB_TYPE_EXP    'E' /* Expired */
  #define DB_TYPE_VAL    'V' /* Valid */
  
'E' is currently not used by "openssl ca", I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V'
DB_file currently is always 'unknown' and not used by "openssl ca". I
guess the original idea was to store the filename of the generated
certificate file here.
The dates are in ASN1_UTCTIME-format.
<code> revoke_date=`date +%y%m%d%H%M%SZ`</code>

===== compare key with signed cert =====
    openssl x509 -noout -modulus -in <signed_cert.crt>
    openssl rsa -noout -modulus -in <cert.key>
and compare the two


===== References =====
https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

https://blog.dnsimple.com/2022/10/ecc-support-for-certificates/

https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/