Appendix B. OpenSSL Certificate Reference
B.1. Reference of Certificates
This reference for creating and managing certificates with the
openssl
command assumes familiarity with SSL. For more background information on SSL refer to the OpenSSL documentation at www.openssl.org.
Important
It is recommended that only certificates signed by an authentic Certificate Authority (CA) are used for secure systems. Instructions in this section for generating self-signed certificates are meant to facilitate test and development activities or evaluation of software while waiting for a certificate from an authentic CA.
Generating Certificates
Procedure B.1. Create a Private Key
- Use this command to generate a 1024-bit RSA private key with file encryption. If the key file is encrypted, the password will be needed every time an application accesses the private key.
# openssl genrsa -des3 -out mykey.pem 1024
Use this command to generate a key without file encryption:# openssl genrsa -out mykey.pem 1024
Procedure B.2. Create a Self-Signed Certificate
Each of the following commands generates a new private key and a self-signed certificate, which acts as its own CA and does not need additional signatures. This certificate expires one week from the time it is generated.
- The
nodes
option causes the key to be stored without encryption. OpenSSL will prompt for values needed to create the certificate.# openssl req -x509 -nodes -days 7 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
- The
subj
option can be used to specify values and avoid interactive prompts, for example:# openssl req -x509 -nodes -days 7 -subj '/C=US/ST=NC/L=Raleigh/CN=www.redhat.com' -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
- The
new
andkey
options generate a certificate using an existing key instead of generating a new one.# openssl req -x509 -nodes -days 7 -new -key mykey.pem -out mycert.pem
Create a Certificate Signing Request
To generate a certificate and have it signed by a Certificate Authority (CA), you need to generate a certificate signing request (CSR):
# openssl req -new -key mykey.pem -out myreq.pem
The certificate signing request can now be sent to an authentic Certificate Authority for signing and a valid signed certificate will be returned. The exact procedure to send the CSR and receive the signed certificate depend on the particular Certificate Authority you use.
Create Your Own Certificate Authority
You can create your own Certificate Authority and use it to sign certificate requests. If the Certificate Authority is added as a trusted authority on a system, any certificates signed by the Certificate Authority will be valid on that system. This option is useful if a large number of certificates are needed temporarily.
- Create a self-signed certificate for the CA, as described in Procedure B.2, “Create a Self-Signed Certificate”.
- OpenSSL needs the following files set up for the CA to sign certificates. On a Red Hat Enterprise Linux system with a fresh OpenSSL installation using a default configuration, set up the following files:
- Set the path for the CA certificate file as
/etc/pki/CA/cacert.pem
. - Set the path for the CA private key file as
/etc/pki/CA/private/cakey.pem
. - Create a zero-length index file at
/etc/pki/CA/index.txt
. - Create a file containing an initial serial number (for example, 01) at
/etc/pki/CA/serial
. - The following steps must be performed on RHEL 5:
- Create the directory where new certificates will be stored:
/etc/pki/CA/newcerts
. - Change to the certificate directory:
cd /etc/pki/tls/certs
.
- The following command signs a CSR using the CA:
# openssl ca -notext -out mynewcert.pem -infiles myreq.pem
Install a Certificate
- For OpenSSL to recognize a certificate, a hash-based symbolic link must be generated in the
certs
directory./etc/pki/tls
is the parent of thecerts
directory in Red Hat Enterprise Linux's version of OpenSSL. Use theversion
command to check the parent directory:# openssl version -d OPENSSLDIR: "/etc/pki/tls"
- Create the required symbolic link for a certificate using the following command:
# ln -s certfile `openssl x509 -noout -hash -in certfile`.0
It is possible for more than one certificate to have the same hash value. If this is the case, change the suffix on the link name to a higher number. For example:# ln -s certfile `openssl x509 -noout -hash -in certfile`.4
Examine Values in a Certificate
The content of a certificate can be seen in plain text with this command:
# openssl x509 -text -in mycert.pem
Exporting a Certificate from NSS into PEM Format
Certificates stored in an NSS certificate database can be exported and converted to PEM format in several ways:
- This command exports a certificate with a specified nickname from an NSS database:
# certutil -d . -L -n "Some Cert" -a > somecert.pem
- These commands can be used together to export certificates and private keys from an NSS database and convert them to PEM format. They produce a file containing the client certificate, the certificate of its CA, and the private key.
# pk12util -d . -n "Some Cert" -o somecert.pk12 # openssl pkcs12 -in somecert.pk12 -out tmckay.pem
See documentation for theopenssl pkcs12
command for options that limit the content of the PEM output file.