• Most Common OpenSSL Commands

    April 21, 2011 Author: Admin
    No comment yet
    Email, RSS Follow

    These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

    ### Generate a new private key and Certificate Signing Request ###

    * Create Key

    openssl  genrsa  -des3  -out  www.adminlgos.info.key  2048

    * Create CSR

    openssl req -new -key www.adminlogs.info.key -out www.adminlogs.info.csr

    Or you can execute the above two commands in a single line as follows

    openssl req -out www.adminlogs.csr -new -newkey  rsa:2048  -nodes -keyout  www.adminlogs.key

    While creating CSR , you need to fill the following things

    Country, State (or Province), Locality (or City), Organization, Organizational Unit, and Common Name. Please note:

    1. The Country is a two-digit code — for the United States, it’s ‘US’.
    2. State and Locality are full names, i.e. ‘California’, ‘Los Angeles’.
    3. The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.
    4. The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
    5. The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate.

    If you are generating a CSR for a Wildcard Certificate your common name must start with *. (for example: *.adminlogs.info). The wildcard character (*) will be able to assume any name that does not have a “dot” character in it.

    Once your CSR is created, you will be able to simply copy and paste the csr and contact your ssl provider for the CRT.

    *  Generate a self-signed certificate

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout www.adminlogs.key  -out www.adminlogs.crt

    *  Generate a certificate signing request (CSR) for an existing private key

    openssl req -out www.adminlogs.csr -key www.adminlogs.key -new

    *  Generate a certificate signing request based on an existing certificate

    openssl x509 -x509toreq -in www.adminlogs.crt -out www.adminlogs.csr -signkey www.adminlogs.key

    *  Remove a passphrase from a private key

    openssl rsa -in www.adminlogs.pem -out adminlogs.pem

    ###  Verify the key and cert Using OpenSSL command  ###

    If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

    * Verify a Certificate Signing Request (CSR)

    openssl req -text -noout -verify -in www.adminlogs.csr

    * Verify a private key

    openssl rsa -in www.adminlogs.key -check

    * Verify a certificate

    openssl x509 -in www.adminlogs.crt -text -noout

    Also if you are facing any issues with SSL installation, then ensure the MODULUS and PUBLIC EXPONENT fields match for the public and private key.

    openssl x509 -noout -text -in  [path of certificate]

    openssl rsa -noout -text -in   [path of private key]