-
-
Save amishmm/6fce3044221c0a9a97296760ebf13281 to your computer and use it in GitHub Desktop.
Generate self-signed certs with different key types
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*** RSA | |
# Generate self-signed certificate with RSA 4096 key-pair | |
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout rsakey.pem -out rsacert.pem | |
# print private and public key | |
openssl rsa -in rsakey.pem -text -noout | |
# print certificate | |
openssl x509 -in rsacert.pem -text -noout | |
# generate PKCS#12 container | |
openssl pkcs12 -export -inkey rsakey.pem -in rsacert.pem -out rsacred.p12 | |
*** ECDSA | |
# Generate self-signed certificate with ECDSA using two common curves | |
openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout ecdsakey.pem -out ecdsacert.pem | |
openssl req -x509 -nodes -days 3650 -newkey ec:<(openssl ecparam -name secp384r1) -keyout ecdsakey.pem -out ecdsacert.pem | |
# print private and public key + curve name | |
openssl ec -in ecdsakey.pem -text -noout | |
# print certificate | |
openssl x509 -in ecdsacert.pem -text -noout | |
# generate container | |
openssl pkcs12 -export -inkey ecdsakey.pem -in ecdsacert.pem -out ecdsacred.p12 | |
Which curve to choose? | |
http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use | |
"Interoperability" means that you would probably prefer it if SSL clients can actually | |
connect to your server; otherwise, having a SSL server would be rather pointless. | |
This simplifies the question a lot: in practice, average clients only support two curves, | |
the ones which are designated in so-called NSA Suite B: these are NIST curves P-256 and | |
P-384 (in OpenSSL, they are designated as, respectively, "prime256v1" and "secp384r1"). | |
If you use any other curve, then some widespread Web browsers (e.g. Internet Explorer, | |
Firefox...) will be unable to talk to your server. | |
*** DSA | |
# generate both key and DSA parameters (both will be stored in dsakey.pem) | |
openssl dsaparam -genkey 1024 -out dsakey.pem | |
openssl req -x509 -new -days 3650 -key dsakey.pem -out dsacert.pem | |
# print private and public key with DSA params | |
openssl dsa -in dsakey.pem -text -noout | |
# print certificate | |
openssl x509 -in dsacert.pem -text -noout | |
# print only DSA params from key file | |
openssl dsaparam -in dsakey.pem -text -noout | |
# generate container | |
openssl pkcs12 -export -inkey dsakey.pem -in dsacert.pem -out dsacred.p12 | |
*** Test TLS connection | |
openssl s_server -accept 1443 -www -key key.pem -cert cert.pem | |
openssl s_client -showcerts -connect localhost:1443 -CAfile cert.pem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment