I don’t know of any “don’t bother” options, but here is how you can setup a quick demo CA: #!/bin/bash CAROOT=/path/to/ca mkdir -p ${CAROOT}/ca.db.certs # Signed certificates storage touch ${CAROOT}/ca.db.index # Index of signed certificates echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number # Configuration cat>${CAROOT}/ca.conf<<‘EOF’ [ ca ] default_ca = ca_default [ ca_default … Read more
I ran into the same problem with OpenSSL 3 and Windows Server 2012 R2. However, I eventually put together the correct combination of parameters. This seems to work: openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey contoso.com.key -in contoso.com.crt -out contoso.com-legacy.pfx
If you haven’t chosen a curve, you can list them with this command: openssl ecparam -list_curves I picked secp256r1 for this example. Use this to generate an EC private key if you don’t have one already: openssl ecparam -out ec_key.pem -name secp256r1 -genkey And then generate the certificate. Your certificate will be in cert.pem. openssl … Read more
You may need the -addext flag. For example: openssl req -new -key certs/foo-bar.pem \ -subj “/CN=foobar.mydomain.svc” \ -addext “subjectAltName = DNS:foobar.mydomain.svc” \ -out certs/foo-bar.csr \ -config certs/foo-bar_config.txt Got the answer from here: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
Try removing or commenting RANDFILE = $ENV::HOME/.rnd line in /etc/ssl/openssl.cnf
Anything outside —–BEGIN FOO—– and —–END FOO—– should be ignored by OpenSSL. This behavior is commonly used to e.g. embed an entire human-readable detailed description of the cert in the PEM file itself, so that anyone reading it can see what it encodes without having to invoke openssl x509 … on it.
Your command is correct, and gives you the encrypted private key in PKCS#8 format. If you need the unencrypted private key, just add the -nodes option: openssl pkcs12 -in filename.pfx -nocerts -nodes -out key.pem If you need the private key in old RSA format, you should convert the given key with the openssl pkcs8 command: … Read more
The tumbleweed badge reminded me to come back and answer it myself! The way I got this to work was to use: setarch i386 ./config -m32
I had the same problem as sunnycomes and his comment was correct. I was lacking a ‘-‘ at the very end of the last line of the file. Before I had: —–END CERTIFICATE—- and changing it to: —–END CERTIFICATE—– fixed it. I’ve learnt that I have to be careful when copying certificates text from a … Read more
“Enter PEM pass phrase” because openssl doesn’t want to output private key in clear text. The password is used to output encrypted private key Below command can be used to output private key in clear text. No password is then asked. openssl pkcs12 -nodes -in me.p12 -out me.pem