OpenSSL Commands - Cheatsheet

• Introduction
• Generating Certificates
• Creating a Private Key
• Generate a csr with the newly created private key
• Skipping Prompted Details
• Command to Generate csr Using Config File
• Verifying Keys and CSRs
• Signing the CSR
• Verifying the Certificate

OpenSSL is an open source tool to create, manage, and modify SSL/TLC certificates. Its usage goes beyond  just managing keys and includes a wide range of functionalities such as checking sites. 

Some of the useful commands every Administrator should know are,

Generating Certificates

Creating a Private Key

Use the following commandto create a Private Key

openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

Generate a csr with the newly created private key

To generate a CSR with the new private key

openssl req -new -key new_private.key -out new_request.csr

You will be prompted to enter the details.

Skipping Prompted Details

If you want to skip this  part create a file and use the below  command,

File content (csr_config.conf):

[ req ]

default_bits        = 2048

prompt              = no

default_md          = sha256

distinguished_name  = dn

[ dn ]

C                   = <Country Name>           

ST                  = <State or Province Name> 

L                   = <Locality Name>  

O                   = <Organization Name> 

OU                  = <Organizational Unit>

CN                  = <Common Name>

emailAddress        = <Email Address>

Command to generate csr using the above file,

openssl req -new -key new_private.key -out new_request.csr -config csr_config.conf

Verifying Keys and CSRs

To Verify the private key and csr using openssl to check whether they are matching or  not,

openssl rsa -noout -modulus -in new_private.key | openssl md5

openssl req -noout -modulus -in new_request.csr | openssl md5

Signing the CSR

Once csr is ready, you can send it to your  cert authority and get the cer/crt file back (you can also self sign it for testing purpose or if your orgnaization is having self signed cert. follow your organizations procedure).

To self sign I have created a ca.key and ca.cer. Then I have signed my csr using the new ca key.

openssl x509 -req -in new_request.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mycert.crt -days 365

Verifying the Certificate

To verify the cert is matching with the key,

openssl rsa -noout -modulus -in new_private.key | openssl md5

openssl x509 -noout -modulus -in mycert.cer | openssl md5 

This is not a comprehensive list, but it will be regularly updated with other important OpenSSL commands to make your life easier.