SSL: OpenSSL Commands            15-APR-11                     Matt Borland

  This contains directions on how to use OpenSSL to manage certificates.

  1) CA Actions: Create a CA cert, as well as a key pair for the CA.

    1a) Create a CA key, encrypted with des3 password.

      openssl genrsa -des3 -out cakey.pem 1024

    1b) Create a certificate for the CA.

      openssl req -new -x509 -days 10000 -key cakey.pem -out ca.crt

  2) Client Actions: Create a certificate request and a key pair.

    2a) Generate a 1024 RSA private key, encrypted with des3 password.

      openssl genrsa -des3 -out mykey.pem 1024

    2b) (opt.) Display to output the public part of the key.

      openssl rsa -in mykey.pem -pubout

    2c) Make a request using the user's key.

      openssl req -new -key mykey.pem -out myreq.csr

  3) CA Actions: Signing the cert and storing the copy of the public key.

    3a) Sign the cert with the CA key and CA cert.

      openssl x509 -req -CA ca.crt -CAkey cakey.pem -days 365 -in myreq.csr -CAcreateserial -out mycert.crt

    3b) (alt) Create a self-signed certificate.

      openssl x509 -req -signkey mykey.pem -days 365 -in myreq.csr -out selfcert.crt

    3c) (opt) Display the public key on the certificate (same as public key).

      openssl x509 -in mycert.crt -noout -pubkey

    3d) (opt) Display the certificate information in human readable display.

      openssl x509 -text -in mycert.crt -noout

    3e) (opt) Export the certificate into pkcs12 format.

      openssl pkcs12 -export -in mycert.crt -out mycert.p12 -name "My Certificate" -inkey mykey.pem

    3f) Save the CA's copy of the key to a file.

      openssl x509 -in mycert.crt -noout -pubkey > cacopyofkey.pem

  4) Test Actions: Create a real file and a fake file.

      echo "This is the real file." > plaintext.txt
      echo "This is a fake file." > fake.txt

  5) Test Actions: Sign a file (prompts for a password).

      openssl dgst -sha1 -sign mykey.pem -out digest.sha1 plaintext.txt

  6) Verify a signature.

      openssl dgst -sha1 -verify cacopyofkey.pem -signature digest.sha1 plaintext.txt

    [Returns: Verified OK]

      openssl dgst -sha1 -verify cacopyofkey.pem -signature digest.sha1 fake.txt

    [Returns: Verification Failure]