quick shot RSA w/o being prompted for any value
cd /etc/ssl/
#cd /etc/openssl/
openssl req -x509 -newkey rsa:2048 -nodes \
-subj /CN=*.lab.nethence.com \
-keyout /etc/ssl/self.key \
-out /etc/ssl/self.crt
# -days 9999
# -sha256
chmod 400 /etc/ssl/*.key
chmod 444 /etc/ssl/*.crt
instead of tweaking openssl.cnf you may also define more from the command line
-subj "/C=RU/L=Innopolis/O=Innopolis University/OU=SNE/CN=*.example.local/emailAddress=YOUR-EMAIL"
ECDSA with a 256-bit curve
openssl ecparam -name prime256v1 > dhparms.pem
openssl req -x509 -days 9999 -nodes \
-newkey ec:dhparms.pem \
-keyout prime256v1.key \
-out prime256v1.crt
# -newkey ec:<(openssl ecparam -name prime256v1)
ECDSA with a 384-bit curve
openssl ecparam -name secp384r1 > dhparms.pem
openssl req -x509 -days 9999 -nodes \
-newkey ec:dhparms.pem \
-keyout secp384r1.key \
-out secp384r1.crt
Note - you can also use stdout instead of -out and stdin instead of -in
Note - -nodes to avoid encrypting the private key hence no passphrase
eventually harden the perms
chmod 444 prime256v1.crt chmod 400 prime256v1.key
and review the newly created dummy certificate
ls -lF *.crt *.key openssl x509 -in self.crt -text -noout -fingerprint openssl x509 -in self.crt -text -noout | less
the important keyword here is -new and w/o -x509
domain=example.net
one shot
openssl req -new -newkey rsa:2048 -nodes \
-keyout $domain.key \
-out $domain.csr
–vs– privkey then csr
openssl genrsa -out $domain.key 2048
openssl req -new -nodes \
-key $domain.key \
-out $domain.csr
openssl ecparam -list_curves | grep secp384r1 openssl ecparam -name secp384r1 -genkey -noout -out client-or-domain.key chmod 400 client-or-domain.key openssl req -new -sha256 -key client-or-domain.key -out client-or-domain.csr chmod 444 client-or-domain.csr
and check
ls -lF *.csr openssl req -noout -text -verify < client-or-domain.csr
in case you need a container for your keys
openssl pkcs12 -export -inkey self.key -in self.crt -out self.p12 openssl pkcs12 -export -inkey prime256v1.key -in prime256v1.crt -out prime256v1.p12 openssl pkcs12 -export -inkey secp384r1.key -in secp384r1.crt -out secp384r1.p12
You already have a pair on Ubuntu
ls -lF /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
but in case you need to re-generate those
make-ssl-cert generate-default-snakeoil --force-overwrite #openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ # -keyout /etc/ssl/private/ssl-cert-snakeoil.key \ # -out /etc/ssl/certs/ssl-cert-snakeoil.pem
On NetBSD you need to fix the config first
cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/ cp -i /usr/share/examples/openssl/openssl.cnf /etc/openssl/openssl.cnf.dist vi /etc/openssl/openssl.cnf #default_md = sha2
Once you sent your CSR to your SSL provider, it will respond you with the PEM certificate, possibly as .crt. You will also need their root CA and intermediate certificates – if those aren’t delivered, you might find it on their website. Eventually concatenate those two
cd /etc/httpd/ssl/ cat intermediatecert rootcert > issuer-concat-cert.crt chmod 400 issuer-concat-cert.crt
see https://lab.nethence.com/ca-bundles/
see sslhappy-tools
How To Create an SSL Certificate on Nginx for Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04
OpenSSL tips and tricks https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art030
What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
Command Line Utilities https://wiki.openssl.org/index.php/Command_Line_Utilities
A note about SSL/TLS trusted certificate stores, and platforms (OpenSSL and GnuTLS) https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
mk-ca-bundle the man page https://curl.haxx.se/docs/mk-ca-bundle.html
How do I re-issue OpenSSL snakeoil cert? https://askubuntu.com/questions/446228/how-do-i-re-issue-openssl-snakeoil-cert
How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04 https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
Creating a Self-Signed SSL Certificate on Ubuntu https://ubuverse.com/creating-a-self-signed-ssl-certificate-on-ubuntu/
Self-Signed_Certificate https://wiki.debian.org/Self-Signed_Certificate
How can I use OpenSSL with an external source of randomness? https://security.stackexchange.com/questions/143051/how-can-i-use-openssl-with-an-external-source-of-randomness
Good entropy source for generating openssl keys https://crypto.stackexchange.com/questions/12571/good-entropy-source-for-generating-openssl-keys
Random Numbers https://wiki.openssl.org/index.php/Random_Numbers
How to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux https://www.cyberciti.biz/open-source/debian-ubuntu-centos-linux-setup-additional-entropy-for-server-using-aveged-rng-tools-utils/
Using engines for random number generation https://stackoverflow.com/questions/29150585/using-engines-for-random-number-generation
Is it possible to generate RSA key without pass phrase? https://serverfault.com/questions/366372/is-it-possible-to-generate-rsa-key-without-pass-phrase
Why openssl insist on requiring a passphrase on genrsa command? https://superuser.com/questions/407908/why-openssl-insist-on-requiring-a-passphrase-on-genrsa-command
Creating a .pem File for SSL Certificate Installations https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Does .pem file contains both private and public keys? https://stackoverflow.com/questions/7539625/does-pem-file-contains-both-private-and-public-keys
How to combine various certificates into single .pem https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem ==> leaf comes first
req: Unrecognized flag sha2
How to make OpenSSL with SHA256 instead of sha1? https://stackoverflow.com/questions/42857286/how-to-make-openssl-with-sha256-instead-of-sha1
Generating an SHA256 SSL CSR on CentOS/RHEL using genkey https://serverfault.com/questions/630692/generating-an-sha256-ssl-csr-on-centos-rhel-using-genkey
https://en.wikipedia.org/wiki/PKCS_12
https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
https://gist.github.com/tsaarni/14f31312315b46f06e0f1ecc37146bf3
Create a self-signed ECC certificate https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/
Generate self-signed certificate and key in one line https://major.io/2007/08/02/generate-self-signed-certificate-and-key-in-one-line/
Generate Self-Signed SSL Certificate without prompt https://gist.github.com/thbkrkr/aa16435cb6c183e55a33
Frequently used OpenSSL Commands https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands
Create an OpenSSL self-signed SAN cert in a single command https://medium.com/@groksrc/create-an-openssl-self-signed-san-cert-in-a-single-command-627fd771f25
https://somoit.net/security/security-create-self-signed-san-certificate-openssl
2 Testing TLS with OpenSSL https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
How to Verify A Connection is Secure Using OpenSSL https://www.liquidweb.com/kb/how-to-verify-a-connection-is-secure-using-openssl/ ==> crlf
Root Certificates https://letsencrypt.org/certificates/
Certificate Compatibility https://letsencrypt.org/docs/certificate-compatibility/
Standing on Our Own Two Feet [Updated] https://letsencrypt.org/2020/11/06/own-two-feet.html
Valid-isrgrootx1 testing site working on devices it shouldn’t? https://community.letsencrypt.org/t/valid-isrgrootx1-testing-site-working-on-devices-it-shouldnt/94738
Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
RHEL/CentOS 7 Fix for Let’s Encrypt Change https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
Centos7 don’t trust certificate issued by lets encrypt https://serverfault.com/questions/791205/centos7-dont-trust-certificate-issued-by-lets-encrypt
Let’s Encrypt Transitioning to ISRG’s Root https://blog.hqcodeshop.fi/archives/436-Lets-Encrypt-Transitioning-to-ISRGs-Root.html