Certificates cheatsheet

certs.md

Certificate cheatsheet

Naming

ca.pem - the root CA certificate
ca.pem - the CA private key
csr.pem - certificate signing request
cert.pem - client certificate
pkey.pem - client private key

Certificate fields

C - Country Name (2 letter code)
ST - State or Province Name (full name)
L - Locality Name (eg, city)
O - Organization Name (eg, company)
OU - Organizational Unit Name (eg, section)
CN - Common Name (eg, fully qualified host name)

Create a one-off self-signed certificate

Generate a private key

$ openssl genrsa -des3 -out key.pem 4096

Create a certificate signing request

$ openssl req -new -key key.pem -out csr.pem

Create self-signed certificate

$ openssl x509 -in csr.pem -out cert.pem -req -signkey key.pem -days 365

Create multiple self-signed certificates

Generate a private key for the CA

$ openssl genrsa -des3 -out key.pem -pkeyopt 4096

Create a root certificate

$ openssl req -new -x509 -key key.pem -sha256 -days 365 -out ca.pem

Generate a private key for the certificate

$ openssl genrsa -des3 -out pkey.pem 4096

Create a certificate signing request

$ openssl req -new -key pkey.pem -out csr.pem

Create a certificate and sign it with the CA certificate and key

$ openssl x509 -req -in csr.pem -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 365

Export to .p12

$ openssl pkcs12 -export -clcerts -inkey pkey.key \
  -in cert.pem -out cert.p12

Verify certificates

Validate the certificate

$ # Validate a certificate chain with intermediate CA cert
$ openssl verify -CAfile ca.pem -untrusted intermediate.pem cert.pem
$ # Validate a certificate with CA cert
$ openssl verify -CAfile ca.pem cert.pem
$ # Validate a single certificate
$ openssl verify cert.pem

Retrieve subject and issuer

$ # Get certificate issuer
$ openssl x509 -in cert.pem -noout -issuer
$ # Get certificate subject
$ openssl x509 -in cert.pem -noout -subject