The basics command line steps to generate a private and public key using OpenSSL are as follow openssl genrsa -out private.key 1024 openssl req -new -x509 -key private.key -out publickey.cer -days 365 openssl pkcs12 -export -out public_privatekey.pfx -inkey private.key -in publickey.cer Step 1 – generates a private key Step 2 – creates a X509 certificate … Read more
In interactive mode, when it prompts for a password, just press enter and there will be no password set. If you are want to automate that (for example as an ansible command), use the -passout argument. It expects the parameter to be in the form pass:mypassword. Since we want no password: openssl pkcs12 -export -nodes … Read more
I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was: openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443
You need to specify an extensions file. For example: openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt The extensions file (v3.ext) can look like this: authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
OpenSSL> verify -CAfile C:\mycert.pem C:\mycert.pem Close. You need to add the CA’s root certificate with -CAfile; and not your end entity certificate. Something like: openssl verify -CAfile C:\ca-cert.pem C:\mycert.pem Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than … Read more
There is a very handy GUI tool written in java called portecle which you can use for creation of an empty PKCS#12 keystore and also for an import of the certificate without the private key into the PKCS#12 keystore – this functionality is available under “Import trusted certificate (Ctrl-T)” button. However if you insist on … Read more
-print_certs is the option you want to use to list all of the certificates in the p7b file, you may need to specify the format of the p7b file you are reading. You can then redirect the output to a new file to build the concatenated list of certificates. Open the file in a text … Read more
You can use the -batch option of openssl. eg: openssl ca -batch -config “$CONF” -out “$BOXCERT” -infiles “$CSRFILE”
You can generate a public-private keypair with the genrsa context (the last number is the keylength in bits): openssl genrsa -out keypair.pem 2048 To extract the public part, use the rsa context: openssl rsa -in keypair.pem -pubout -out publickey.crt Finally, convert the original keypair to PKCS#8 format with the pkcs8 context: openssl pkcs8 -topk8 -inform … Read more
You can only use something like this: openssl -extensions mysection -config myconfig.cnf and myconfig.cnf: [mysection] keyUsage = digitalSignature extendedKeyUsage = codeSigning I am not aware of command line interface to this functionality.