OpenSSL Cheat Sheet

I like to secure the web interfaces of any network device I use with a valid SSL certificate. In an enterprise environment with its own CA, there is really no excuse for not doing this. It costs nothing, significantly improves security and also helps to curb the bad habit of ignoring SSL error messages from web browsers.

OpenSSL is one of my weapons of choice when creating certificate requests and is great for manipulating the various formats that certificates can be found in.

This post is a little cheat sheet of common operations that I perform using OpenSSL.

Create a 4096 bit key file that is encrypted using aes128 with a password

openssl genrsa -aes128 -out NameOfMyEncryptedKeyFile.key 4096

Create a 4096 bit key file that is not password protected

openssl genrsa -out NameOfMyUnencryptedKeyFile.key

An example of a configuration file used to create a CSR (Certificate Signing Request) for a web server or web interface

The Chrome browser has recently started throwing up certificate warnings if a Subject Alternate Name does not exist with a DNS value matching the Common Name (CN). Apparently this has always been part of the specification but hasn’t been enforced.

Until now. Yay Google.

Any CSR’s you create should include at least 1 DNS entry in the [alt_names] section that matches the CN.

Create a CSR using a configuration file and a key file

openssl req -sha256 -key NameOfMyEncryptedKeyFile.key -new -out NameOfMyCertificateRequest.csr -config NameOfMyConfigurationFile.cnf

Combine a PEM formatted certificate and a key file into a PKCS12 (PFX) file for importing into Windows

openssl pkcs12 -inkey NameOfMyEncryptedKeyFile.key -in NameOfMyPEMCertificate.cer -export -out NameOfMyPFXFile.pfx



Leave a Reply

Your email address will not be published. Required fields are marked *