End-user Functions

Create Certificate Request/Unsigned Key

• blah.key.pem will act as an SSLCertificateKeyFile for Apache

Fingerprint for Unsigned Certificate

Generate Key

Display Certificate Information

Creating a PEM File for Servers

Creating PKCS12-format File

Signing E-mails

Certificate Authority Functions

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change defaultdays, certificate and privatekey, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA Certificate

Export CA Certificate in DER Format

• Used by web browsers

Revoke Certificate

openssl ca -revoke blah.crt.pem

Generate Certificate Revokation List

Sign Certificate Request

• blah.crt.pem acts as !SSLCertificateFile for Apaache

Create Diffie-Hoffman Parameters for Current CA

openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536

Creating Self-Signed Certificate from Generated Key

openssl req -new -x509 -key blah.key.pem -out blah.crt.pem

• Use only when you’ve no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line Tricks

Simple file encryption

(password will be prompted)

Simple file decryption