Skip to content

Instantly share code, notes, and snippets.

@dwallraff
Last active September 26, 2019 17:27
Show Gist options
  • Save dwallraff/60cd13d68c7de76335a3 to your computer and use it in GitHub Desktop.
Save dwallraff/60cd13d68c7de76335a3 to your computer and use it in GitHub Desktop.
Commands to create a self-signed SSL cert or CSRs using the openssl conf from https://gist.github.com/dwallraff/c1ed31291ac7cf19304b
##### Commands to generate SSL certs/artifcts
# Download the temp.cnf file using the wget command below
# Edit temp.cnf and add your information
# Run the uncommented out commands to generate a self-signed cert (cert.pem) and private key (keyfile.pem)
wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf
# Generate a new keyfile. A 2048 bit key size is TOTALLY fine. Jack it up to 4096 and wait if you must...
openssl genrsa -out keyfile.key 2048
## Or use elliptic curve instead of RSA. We're just using this to sign certs, so P-256 is just fine.
# openssl ecparam -genkey -out keyfile.key -name prime256v1
## Generate a cert. Expires in 30 days. Get a real cert. Or change the number of days.
openssl req -x509 -new -key keyfile.key -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30
#########################
##### Verify stuffs
## Verify a CSR
# openssl req -text -noout -verify -in csr.csr
## Verify a cert
# openssl x509 -text -noout -in cert.pem
## Verify a key
# openssl rsa -check -in server.key -noout
## Verify a live cert
# openssl s_client -connect <domain>:443
## Verify your keyfile matches your cert. MD5 sums should match.
# openssl x509 -noout -modulus -in server.crt | openssl md5
# openssl rsa -noout -modulus -in server.key | openssl md5
## 'Proper' key/cert verification
# diff <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout)
#
# Or use the 'pkey' sub-module in newer versions of OpenSSL that supports all key types for non-RSA keys
# diff <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -pubout -in private-key.pem -outform PEM 2>/dev/null | tail -n +1))
#########################
##### Commands involving a CSR
## Generate a new key (2048 rsa) and a CSR - REQUIRES USER INPUT
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key
## Generate a new key and a CSR using temp.cnf to allow for SANs in the CSR.
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key -config temp.cnf
## Generate a cert from a CSR. Expires in 30 days. Get a real cert. Or change the number of days.
# openssl req -x509 -new -key keyfile.key -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment