rootca-openssl
Tuesday 1 April 2025 7 versions

DER Klassiker: openssl

Oft benutzt. Hat ’tausende’ Optionen. –> Kompliziert und unübersichtlich!

Generate CA

  1. Generate RSA key
1openssl genrsa -aes256 -out ca-key.pem 4096
  1. Generate a public CA Cert
1openssl req -new -x509 -sha256 -days 365 -key ca-key.pem -out ca.pem

View Certificate’s content 

1openssl x509 -in ca.pem -text
2openssl x509 -in ca.pem -purpose -noout -text

Generate Certificate

  1. Create an RSA key
1openssl genrsa -out cert-key.pem 4096
  1. Create a Certificate Signing Request (CSR): specify the identity as subject or common name.
1openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr
  1. Create an extfile with all the SANs (subject alternative names)
1echo "subjectAltName=DNS:your-dns.record,IP:257.10.10.1" >> extfile.cnf
2# optional
3echo "extendedKeyUsage = serverAuth" >> extfile.cnf
  1. Let the CA create the signed certificate
1openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem \
2  -out cert.pem -extfile extfile.cnf -CAcreateserial

Convert Certificates

COMMAND CONVERSION
openssl x509 -outform der -in cert.pem -out cert.der PEM to DER
openssl x509 -inform der -in cert.der -out cert.pem DER to PEM
openssl pkcs12 -in cert.pfx -out cert.pem -nodes PFX to PEM

Verify Certificates 

1openssl verify -CAfile ca.pem -verbose cert.pem