Appendix B. OpenSSL Certificate Reference

B.1. Reference of Certificates

This reference for creating and managing certificates with the openssl command assumes familiarity with SSL. For more background information on SSL refer to the OpenSSL documentation at www.openssl.org.

Important

It is recommended that only certificates signed by an authentic Certificate Authority (CA) are used for secure systems. Instructions in this section for generating self-signed certificates are meant to facilitate test and development activities or evaluation of software while waiting for a certificate from an authentic CA.

Generating Certificates

Procedure B.1. Create a Private Key

  • Use this command to generate a 1024-bit RSA private key with file encryption. If the key file is encrypted, the password will be needed every time an application accesses the private key. 
    # openssl genrsa -des3 -out mykey.pem 1024
    Use this command to generate a key without file encryption: 
    # openssl genrsa  -out mykey.pem 1024

Procedure B.2. Create a Self-Signed Certificate

Each of the following commands generates a new private key and a self-signed certificate, which acts as its own CA and does not need additional signatures. This certificate expires one week from the time it is generated.
  1. The nodes option causes the key to be stored without encryption. OpenSSL will prompt for values needed to create the certificate. 
    # openssl req -x509 -nodes -days 7 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
  2. The subj option can be used to specify values and avoid interactive prompts, for example: 
    # openssl req -x509 -nodes -days 7 -subj '/C=US/ST=NC/L=Raleigh/CN=www.redhat.com' -newkey rsa:1024 -keyout mykey.pem -out mycert.pem
  3. The new and key options generate a certificate using an existing key instead of generating a new one. 
    # openssl req -x509 -nodes -days 7 -new -key mykey.pem -out mycert.pem

Create a Certificate Signing Request

To generate a certificate and have it signed by a Certificate Authority (CA), you need to generate a certificate signing request (CSR): 
# openssl req -new -key mykey.pem -out myreq.pem
The certificate signing request can now be sent to an authentic Certificate Authority for signing and a valid signed certificate will be returned. The exact procedure to send the CSR and receive the signed certificate depend on the particular Certificate Authority you use.

Create Your Own Certificate Authority

You can create your own Certificate Authority and use it to sign certificate requests. If the Certificate Authority is added as a trusted authority on a system, any certificates signed by the Certificate Authority will be valid on that system. This option is useful if a large number of certificates are needed temporarily.
  1. Create a self-signed certificate for the CA, as described in Procedure B.2, “Create a Self-Signed Certificate”.
  2. OpenSSL needs the following files set up for the CA to sign certificates. On a Red Hat Enterprise Linux system with a fresh OpenSSL installation using a default configuration, set up the following files:
    1. Set the path for the CA certificate file as /etc/pki/CA/cacert.pem.
    2. Set the path for the CA private key file as /etc/pki/CA/private/cakey.pem.
    3. Create a zero-length index file at /etc/pki/CA/index.txt.
    4. Create a file containing an initial serial number (for example, 01) at /etc/pki/CA/serial.
    5. The following steps must be performed on RHEL 5:
      1. Create the directory where new certificates will be stored: /etc/pki/CA/newcerts.
      2. Change to the certificate directory: cd /etc/pki/tls/certs.
  3. The following command signs a CSR using the CA: 
    # openssl ca -notext -out mynewcert.pem -infiles myreq.pem

Install a Certificate

  1. For OpenSSL to recognize a certificate, a hash-based symbolic link must be generated in the certs directory. /etc/pki/tls is the parent of the certs directory in Red Hat Enterprise Linux's version of OpenSSL. Use the version command to check the parent directory: 
    # openssl version -d
OPENSSLDIR: "/etc/pki/tls"
  2. Create the required symbolic link for a certificate using the following command: 
    # ln -s certfile `openssl x509 -noout -hash -in certfile`.0
    It is possible for more than one certificate to have the same hash value. If this is the case, change the suffix on the link name to a higher number. For example: 
    # ln -s certfile `openssl x509 -noout -hash -in certfile`.4

Examine Values in a Certificate

The content of a certificate can be seen in plain text with this command: 
# openssl x509 -text -in mycert.pem

Exporting a Certificate from NSS into PEM Format

Certificates stored in an NSS certificate database can be exported and converted to PEM format in several ways:
  • This command exports a certificate with a specified nickname from an NSS database: 
    # certutil -d . -L -n "Some Cert" -a > somecert.pem
  • These commands can be used together to export certificates and private keys from an NSS database and convert them to PEM format. They produce a file containing the client certificate, the certificate of its CA, and the private key. 
    # pk12util -d . -n "Some Cert" -o somecert.pk12
# openssl pkcs12 -in somecert.pk12 -out tmckay.pem
    See documentation for the openssl pkcs12 command for options that limit the content of the PEM output file.
Report a bug