Openssl Operations: Difference between revisions
| Line 36: | Line 36: | ||
The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-csr.pem</tt> and a new private key will be written, also in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-pk.pem</tt>. | The new CSR will be generated in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-csr.pem</tt> and a new private key will be written, also in [[Public_Key_Security#PEM|PEM]] format as <tt>./test-pk.pem</tt>. | ||
==Inspect a Certificate Signing Request (CSR)== | |||
openssl req -in ./test-csr.pem -noout -text | |||
=Obtain a Server Certificate= | =Obtain a Server Certificate= | ||
Revision as of 04:36, 8 April 2018
External
Internal
Generate a Public/Private Key Pair
Generate the Private Key
This is the procedure to generate a public/private key pair. The keys can be further used to generate digitally signed certificates, or even to configure ssh, though ssh has its own procedure to generate key pairs, which produces equivalent keys in the same PEM format.
openssl genrsa|gendsa -out <keyfile-name>.pem <key-lenght>
openssl genrsa -out test-pk.pem 2048
The command generates a RSA/DSA key of specified length in PEM format.
Generate the Matching Public Key
Generate a Self-Signed Certificate
Create a Certificate Signing Request (CSR)
This procedure generates a Certificate Signing Request (CSR) that should be sent to the certificate authority for signature. The CSR command (openssl req) may use an existing private key, previously generated with openssl genrsa, or it can create a new private key.
To use the existing private key:
openssl req -key ./test-pk.pem -out ./test-csr.pem -new
The new CSR will be generated in PEM format as ./test-csr.pem.
To create a new private key at the time of creation of the certificate signing request, use the following command. Note that the command will ask interactively for a private key password. The password can be provided in-line with the -passin option.
openssl req -keyout ./test-pk.pem -out ./test-csr.pem -new
The new CSR will be generated in PEM format as ./test-csr.pem and a new private key will be written, also in PEM format as ./test-pk.pem.
Inspect a Certificate Signing Request (CSR)
openssl req -in ./test-csr.pem -noout -text
Obtain a Server Certificate
openssl s_client -connect nexus-cicd.apps.openshift.novaordis.io:443
The response includes the server's certificate:
[...] Certificate chain 0 s:/CN=*.apps.openshift.novaordis.io [...] --- Server certificate -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIBEjANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu [...] 65vqsz8NTtde1vJ5qW31Af0pO9YehiSRfA== -----END CERTIFICATE----- subject=/CN=*.apps.openshift.novaordis.io [...]