OpenSSL

Multi Domain Certificate Request
Multi-Domain Subject Alternative Name (SAN) Certificate

Ref: SAN Certificates: Subject Alternative Name – Multi-Domain (SAN) - https://www.digicert.com/subject-alternative-name.htm

Create private key: openssl genrsa -des3 -out domain.key 2048

Verify key: openssl rsa -check -in domain.key

Generate Single Domain CSR: openssl req -key domain.key -new -out domain.csr

C=US # (Country 2 letters) ST=Utah # (State) L=Some City # (Location) O=Some Organization # (Organization Name) OU=Some Organization Unit # (Organizational Unit Name) CN = domain.com # (Common Name - domain name for CSR) emailAddress=your@email.com # (your email)

Generate CSR with Multiple Domains: (see req.ssl below) openssl req -key domain.key -new -config req.ssl -out domain.csr

req.ssl: (ref ) [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn

[ dn ] C=US ST=Utah L=Some City O=Some Organization OU=Some Organization Unit emailAddress=your@email.com CN = domain.com

[ req_ext ] subjectAltName = @alt_names

[ alt_names] DNS.1 = some.domain.com DNS.2 = other.domain.com

Verify CSR: https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

Be prepared, all CA (Certificate Authority) will request a TXT DNS record or a web page drop to verify domain.

Entire Trust Chain PEM

 * 1)    The Private Key - your_domain_name.key
 * 2)    The Primary Certificate - your_domain_name.crt
 * 3)    The Intermediate Certificate - DigiCertCA.crt
 * 4)    The Root Certificate - TrustedRoot.crt

Ref https://www.digicert.com/ssl-support/pem-ssl-creation.htm

---

The order does matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's   certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it   in order to validate it in any case.

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

-BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY-

ref: https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem

Linux CA Certs
... CApath: /etc/ssl/certs
 * 1) curl -v https://ssl.oeey.com:443
 * successfully set certificate verify locations:
 * CAfile: none

Add .crt to /etc/ssl/certs and then run *update-ca-certificates* to rebuild the cert cache.

Ref: https://access.redhat.com/solutions/1549003

Show Cert Chain
openssl s_client -showcerts -connect www.example.com:443 /dev/null | \ openssl x509 -text

openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der

Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Commands

 * OpenSSL Usage tips
 * OpenSSL RSA

Generate Certificate
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

One Step Self Signed
One step self signed passwordless certificate generation: openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key -out www.example.com.cert

Private Key
Generate private key file with file encryption:

openssl genrsa -des3 -out $DOMAIN.key 1024

-BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY-

Generate private key file without file encryption:

openssl genrsa -out $DOMAIN.key 1024

-BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1A2D111B7CC038F7 ... -END RSA PRIVATE KEY-

List private key details (primes and other such nonsense):

openssl rsa -in $DOMAIN.key -text
 * 1) Also indicates if key is encrypted (or you can generally look at the text)

Certificate Request
Questions:
 * Enter PEM pass phrase
 * Country Name (2 letter code) [AU]
 * State or Province Name (full name) [Some-State]
 * Locality Name (eg, city) []
 * Organization Name (eg, company) [Internet Widgits Pty Ltd]
 * Organizational Unit Name (eg, section) []
 * Common Name (eg, YOUR name) []
 * Email Address []
 * extra - A challenge password []
 * extra - An optional company name []

Cert Request - also generate key: openssl req -new -keyout $DOMAIN.key -out $DOMAIN.csr

Cert Request - use existing key: openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

List Certificate Request Details: openssl req -in $DOMAIN.csr -text

Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Utah, L=Lindon, O=OEEY, OU=Lab, CN=cert.oeey.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ...

Certificate
View a certificate details: openssl x509 -in filename.crt -noout -text

Other
Viewing the details of a certificate revocation list (CRL) openssl crl -in filename -noout -text

View server's certificate chain openssl s_client -connect ssl.oeey.com:443 -showcerts < /dev/null

To remove the pass phrase on an RSA private key: openssl rsa -in key.pem -out keyout.pem

To encrypt a private key using triple DES: openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format: openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output: openssl rsa -in key.pem -text -noout

To just output the public part of a private key: openssl rsa -in key.pem -pubout -out pubkey.pem

PKCS7
VMware signature check, copy and paste out of binary VIB

Signature details openssl pkcs7 -in [SIGFILE] -print_certs -noout openssl pkcs7 -in [SIGFILE] -print_certs -noout -text

Conversion
OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes'''

If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates but it is possible to convert a Java Keystore to PEM format.

Source: SSL Converter - Convert SSL Certificates to different formats - https://www.sslshopper.com/ssl-converter.html

Check SSL Certificate
OpenSSL Usage tips

View a certificates' details openssl x509 -in filename.crt -noout -text

Viewing the details of a certificate revocation list (CRL) openssl crl -in filename -noout -text

Remove Password from Private Key
OpenSSL RSA -

To remove the pass phrase on an RSA private key: openssl rsa -in key.pem -out keyout.pem

Change private key password: openssl rsa -in $DOMAIN.key.pem -des3 -out $DOMAIN.key.pem.new

To encrypt a private key using triple DES: openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format: openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output: openssl rsa -in key.pem -text -noout

To just output the public part of a private key: openssl rsa -in key.pem -pubout -out pubkey.pem

Test SSL Connection
To check the SSL connection: openssl s_client -connect 10.0.0.223:465

To test for SSL2 access: openssl s_client -ssl2 -connect 10.0.0.223:465

To test for SSL3 access: openssl s_client -ssl3 -connect 10.0.0.223:465

To test for TLS1 access: openssl s_client -tls1 -connect 10.0.0.223:465

Encrypting data with openssl
openssl genrsa -out private.pem 1024 openssl rsa -in private.pem -out public.pem -outform PEM -pubout echo 'too many secrets' > file.txt openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt cat decrypted.txt

Reference: Private key encryption using OpenSSL

Build OpenSSL from Source
OpenSSL - http://www.openssl.org/

openssl-0.9.8b.tar.gz is the version used with VMware Workbench 1.0

yum -y install gcc make
 * 1) not sure what dependencies are needed...

mkdir -p ~/.ssh ; cd ~/.ssh wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz tar -zvxf openssl-0.9.8b.tar.gz cd openssl-0.9.8b

./config --prefix=/opt/openssl make && make test && make install

Create Certificate Authority
Create the Root Key: openssl genrsa -out rootCA.key 2048

Alternative Create Password protected Root Key: (optional) openssl genrsa -out rootCA.key 2048 -des3

Self-Sign This Certificate: openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.crt

Also output certificate to DER format (for IE): (optional) openssl x509 -in rootCA.crt -out rootCA.der.crt -outform DER

Verify: openssl x509 -noout -text -in rootCA.crt

X509v3 Basic Constraints: CA:TRUE

Install Root Certificate Into Browsers:
 * IE and Chrome use the default certificate management
 * Go to IE, Internet Options, go to the Content tab, then hit the Certificates button. In Chrome going to Options and Under The Hood, and Manage certificates. They both take you to the same place, the Windows certificate repository. You’ll want to install the root CA certificate (not the key) under the Trusted Root Certificate Authorities tab.
 * Firefox has its own certificate repository

References:
 * Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) | The Data Center Overlords - http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
 * How do I create my own Certificate Authority (CA) | workaround.org - https://workaround.org/certificate-authority

---

Sign new server

Create server key: openssl genrsa -out device.key 2048

Create certificate signing request: openssl req -new -key device.key -out device.csr

WARNING: common-name must match the host's domain name. Single level wild card is also valid. *.oeey.com

Sign certificate with our CA: openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500

Also output certificate to DER format (for IE): (optional) openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache cat device.key device.crt > device.pem

---

Sign a multi domain name server: (allow *.oeey.com and oeey.com - silly firefox)

device.cnf: [ req ] prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req

[req_distinguished_name] countryName=US stateOrProvinceName = Utah localityName = Salt Lake City organizationalUnitName = oeey organizationName = oeey commonName = oeey

[ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names
 * 1) Extensions to add to a certificate request

[alt_names] DNS.1 = oeey.com DNS.2 = *.oeey.com

If you want by IP too, add the following to alt_names: IP.1 = 10.10.10.1

Create server key: openssl genrsa -out device.key 2048

Create certificate signing request: openssl req -new -key device.key -out device.csr -config device.cnf

Verify csr: (optional) openssl req -text -noout -in device.csr

X509v3 Subject Alternative Name: DNS:oeey.com, DNS:*.oeey.com

Sign certificate with our CA: openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -extensions v3_req -extfile device.cnf

Also output certificate to DER format (for IE): (optional) openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache cat device.key device.crt > device.pem

Rename 'device': ls device* | awk {'print "mv " $1 " " $1'} | sed 's/device/oeey.com/2' | sh

References:
 * Creating an SSL Certificate with Multiple Hostnames - http://apetec.com/support/GenerateSAN-CSR.htm

---

Apache - to configure Apache to set the mime type for the certificates, add: AddType application/x-x509-ca-cert .der .pem .crt

Let's Encrypt Free SSL Certificates
Let's Encrypt - Free SSL/TLS Certificates

Let’s Encrypt is a free, automated, and open Certificate Authority.

https://letsencrypt.org/

See letsencrypt.org

keywords
openssl ssl certificate keystore