I like to secure the web interfaces of any network device I use with a valid SSL certificate. In an enterprise environment with its own CA, there is really no excuse for not doing this. It costs nothing, significantly improves security and also helps to curb the bad habit of ignoring SSL error messages from web browsers.
OpenSSL is one of my weapons of choice when creating certificate requests and is great for manipulating the various formats that certificates can be found in.
This post is a little cheat sheet of common operations that I perform using OpenSSL.
Create a 4096 bit key file that is encrypted using aes128 with a password
openssl genrsa -aes128 -out NameOfMyEncryptedKeyFile.key 4096
Create a 4096 bit key file that is not password protected
openssl genrsa -out NameOfMyUnencryptedKeyFile.key
An example of a configuration file used to create a CSR (Certificate Signing Request) for a web server or web interface
The Chrome browser has recently started throwing up certificate warnings if a Subject Alternate Name does not exist with a DNS value matching the Common Name (CN). Apparently this has always been part of the specification but hasn’t been enforced.
Until now. Yay Google.
Any CSR’s you create should include at least 1 DNS entry in the [alt_names] section that matches the CN.
Create a CSR using a configuration file and a key file
openssl req -sha256 -key NameOfMyEncryptedKeyFile.key -new -out NameOfMyCertificateRequest.csr -config NameOfMyConfigurationFile.cnf
Combine a PEM formatted certificate and a key file into a PKCS12 (PFX) file for importing into Windows
openssl pkcs12 -inkey NameOfMyEncryptedKeyFile.key -in NameOfMyPEMCertificate.cer -export -out NameOfMyPFXFile.pfx