Last active
September 26, 2019 17:27
-
-
Save dwallraff/60cd13d68c7de76335a3 to your computer and use it in GitHub Desktop.
Commands to create a self-signed SSL cert or CSRs using the openssl conf from https://gist.github.com/dwallraff/c1ed31291ac7cf19304b
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##### Commands to generate SSL certs/artifcts | |
# Download the temp.cnf file using the wget command below | |
# Edit temp.cnf and add your information | |
# Run the uncommented out commands to generate a self-signed cert (cert.pem) and private key (keyfile.pem) | |
wget https://gist.githubusercontent.com/dwallraff/c1ed31291ac7cf19304b/raw/e06feacbb85ac63659e6c1c40c70d5481522b390/temp.cnf | |
# Generate a new keyfile. A 2048 bit key size is TOTALLY fine. Jack it up to 4096 and wait if you must... | |
openssl genrsa -out keyfile.key 2048 | |
## Or use elliptic curve instead of RSA. We're just using this to sign certs, so P-256 is just fine. | |
# openssl ecparam -genkey -out keyfile.key -name prime256v1 | |
## Generate a cert. Expires in 30 days. Get a real cert. Or change the number of days. | |
openssl req -x509 -new -key keyfile.key -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30 | |
######################### | |
##### Verify stuffs | |
## Verify a CSR | |
# openssl req -text -noout -verify -in csr.csr | |
## Verify a cert | |
# openssl x509 -text -noout -in cert.pem | |
## Verify a key | |
# openssl rsa -check -in server.key -noout | |
## Verify a live cert | |
# openssl s_client -connect <domain>:443 | |
## Verify your keyfile matches your cert. MD5 sums should match. | |
# openssl x509 -noout -modulus -in server.crt | openssl md5 | |
# openssl rsa -noout -modulus -in server.key | openssl md5 | |
## 'Proper' key/cert verification | |
# diff <(openssl x509 -in ssl.crt -pubkey -noout) <(openssl rsa -in ssl.key -pubout) | |
# | |
# Or use the 'pkey' sub-module in newer versions of OpenSSL that supports all key types for non-RSA keys | |
# diff <(openssl x509 -pubkey -in certificate.pem -noout) <(openssl pkey -pubout -in private-key.pem -outform PEM 2>/dev/null | tail -n +1)) | |
######################### | |
##### Commands involving a CSR | |
## Generate a new key (2048 rsa) and a CSR - REQUIRES USER INPUT | |
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key | |
## Generate a new key and a CSR using temp.cnf to allow for SANs in the CSR. | |
# openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout keyfile.key -config temp.cnf | |
## Generate a cert from a CSR. Expires in 30 days. Get a real cert. Or change the number of days. | |
# openssl req -x509 -new -key keyfile.key -in csr.csr -out cert.pem -extensions server_req_extensions -config temp.cnf -days 30 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment