rimball wiki

Create a ECC private key using the prime256v1 algorithm ¹⁾

openssl ecparam -out server.key -name prime256v1 -genkey

using secp384r1

openssl ecparam -out server.key -name prime256v1 -genkey

Create CSR from key

openssl req -new -nodes -key server.key -out $(hostname -f).csr\
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
-addext "subjectAltName=DNS:$(hostname -f)"

One-liner for ECC key

openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \
-keyout $(hostname -f).key -out $(hostname -f).csr \
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\
-addext "subjectAltName=DNS:$(hostname -f)"

openssl req -new -nodes -keyout newkey.pem -out newreq.pem

Create rsa key and csr

openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \
-keyout example.com.key \
-subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \
-addext "subjectAltName=DNS:example.com"

one liner for RSA key and csr using system FQDN

openssl req -new -sha256 -nodes  -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \
-addext "subjectAltName=DNS:$(hostname -f)"

if [[ "$(openssl x509 -noout -in ${SIGNED_CERT}  -modulus)" !=  "$(openssl rsa -noout -in ${PRIVATE_KEY}  -modulus)" ]] ; then
echo "they don't match"
fi

for a web browser from a certificate and it's key

openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out chrome.p12

If the private and public key are in the same file

openssl pkcs12 -export -in mycert.CRT -out mycertoutput.p12

first extract the certificate

  openssl pkcs12 -in mycert.P12 -nodes -clcerts  -out cert

second, extract the key

  openssl pkcs12 -in mycert.P12 -nodes -nocerts -out key

Both into one file

openssl pkcs12 -in mycert.P12 -nodes -out mycert.CRT

http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke

      openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/isd_crl.crl
      openssl ca -revoke CA/newcerts/F069A9B2CEE10A6E.pem -keyfile CA/private/cakey.pem  -cert CA/cacert.pem
      openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/my_crl.pem

To display the contents of a CRL certificate:

      openssl crl -in my_crl.pem -text

Convert a PEM formatted CRL to DER format for Firefox openssl crl -in crl.pem -outform DER -out new_crl.der

      openssl x509 -noout -subject_hash -in selfsigned.pem

Display contents of a certificate file

  openssl x509 -in cacert.pem  -text

Display certificate request (CSR)

openssl req -in cert.csr -text

  view the details of what the server wants
  openssl s_client -connect example.com:443 -prexit

Using a client certificate

  openssl s_client -cert client.crt -key client.key -connect example.com:44

With certificate verification

  openssl s_client -connect example.com:443 -cert mycert.pem  -key mykey.pem  -CAfile cacert.pem

Retrieve just the RSA public key if the site has both ECDSA & RSA

  openssl s_client -sigalgs "RSA-PSS+SHA256"  -connect google.com:443

For more examples of using signature algorithms see https://node-security.com/posts/openssl-testing-signature-algorithm/

wget and openssl s_client wget –certificate=mycert.pem –private-key=mykey.pem –ca-certificate=cacert.pem https://example.com –verbose

openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc

openssl enc -e -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc

openssl enc -d -k 1234 -aes256 -pbkdf2 -in text.txt -out text.txt.enc

#Signing files

date +%s > restore.txt
#sign using rasutl
openssl rsautl -sign -in restore.txt -inkey mykey.pem -out restore.sig

#verify using rsautl
openssl rsautl -verify -in restore.sig -inkey mycert.pem -certin

#smime - Sign and verify openssl smime -sign -in restore.txt -text -out mail.msg -signer mycert.pem -inkey mykey.pem openssl smime -verify -in mail.msg -CAfile cacert.pem -out signedtext.txt

openssl.cnf Should change default_bits to 2048 change nsCertType to just client for client certificates nsComment

mostly copied from http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html

Column 1 – (V)erified, (E)xpired, and (R)evoked First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that.

Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows.

The columns are defined as

#define DB_type         0 /* Status of the certificate */
#define DB_exp_date     1 /* Expiry date */
#define DB_rev_date     2 /* Revocation date */
#define DB_serial       3       /* Serial No., index - unique */
#define DB_file         4
#define DB_name         5       /* DN, index - unique when active and  not disabled */

DB_type is defined as

#define DB_TYPE_REV    'R' /* Revoked */
#define DB_TYPE_EXP    'E' /* Expired */
#define DB_TYPE_VAL    'V' /* Valid */

'E' is currently not used by “openssl ca”, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by “openssl ca”. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format.

 revoke_date=`date +%y%m%d%H%M%SZ`

  openssl x509 -noout -modulus -in <signed_cert.crt>
  openssl rsa -noout -modulus -in <cert.key>

and compare the two

https://www.digicert.com/kb/ecc-csr-creation-ssl-installation-apache.htm

https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

https://dev.to/benjaminblack/obtaining-an-elliptic-curve-dsa-certificate-with-lets-encrypt-51bc

https://blog.dnsimple.com/2022/10/ecc-support-for-certificates/

https://soatok.blog/2022/05/19/guidance-for-choosing-an-elliptic-curve-signature-algorithm-in-2022/