This documentation covers OpenSSL only, as it is the standard implementation for Linux.

OpenSSL commands are specified as first argument to the openssl binary. Normally each command has it's own manpage.

req covers things done with Certificate Requests.

Use this for an unencrypted key:

openssl req -new -nodes -keyout bincimap.key -out bincimapreq.pem

For building a RootCA, you need a self-signed certificate:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem

ca is used for doing Certificate Authority stuff.

To sign a Certificate Request (generating a certificate) use:

openssl ca -in filename.csr -out filename.crt

To revoke a certain certificate:

openssl ca -revoke filename.crt

With x509 you can watch into certificates and other files.

openssl x509 -in filename.crt -text

This is what I did to setup a RootCA and sign some certificates with it.

# ls -l /etc/ssl/nwl/
total 0
drwxr-xr-x  2 root root 6 Nov  1 20:45 certs
drwxr-xr-x  2 root root 6 Nov  1 20:45 crl
drwxr-xr-x  2 root root 6 Dec  3 04:01 newcerts
drwx------  2 root root 6 Dec  3 04:01 private

• Fix pathnames to meet the directoy-structure mentioned above.
• Check Signing Policy.
• Set useful samples and defaults in the req - part of the file.
• The CommonName should be the FQDN of the host, at least for Apache.

# openssl dhparam -outform PEM -out /etc/ssl/nwl/dh1024.pem -2 1024

This takes quite long. There is also a faster variant of generating the params, but then you should recreate them before each use, which is likely to be forgotten. The created file should contain the folowing lines:

-----BEGIN DH PARAMETERS-----
  [...]
-----END DH PARAMETERS-----

Peace of Cake:

# echo 00 > /etc/ssl/nwl/serial

The serial will be incremented with every certificate signed. It is also used for naming the new certificates in /etc/ssl/newcerts.

Again Peace of Cake:

# touch /etc/ssl/nwl/index.txt

To actually create the RootCA just create a self-signed certificate:

# openssl req -x509 -newkey rsa:1024 -days 365 -keyout private/cakey.pem -out cacert.pem

_{BEWARE: This does not make sense without a password!}

Use this to check the output:

# openssl x509 -in cacert.pem -text

In openssl.conf goto [ usr_cert ], and then change nsCertType:

nsCertType = server

After that you should generate all server-certificates at once, to prevent creating one with a wrong nsCertType later.

Just as above, change the variable back to client:

nsCertType = client, email

Then the file should match for later creating client-certificates when requested.

To create a request with matching key:

# openssl req -new -nodes -keyout wiki.nwl.key -out wiki.nwl.csr

wiki.nwl.key should contain then:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

wiki.nwl.csr should contain:

-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----

# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt

Then you can savely delete the request, as it is not needed anymore:

# rm wiki.nwl.csr

First thing to do is initialise an index file (see crlnumber config option):

# echo 00 >/etc/ssl/nwl/crlnumber

Then we create an empty initial crl:

# openssl ca -gencrl -out crl.pem

# openssl rsa -in wiki.nwl.key -text
# openssl req -in wiki.nwl.csr -text
# openssl x509 -in wiki.nwl.crt -text
# openssl crl -in crl.pem -text

First the revocation itself (The name need not match, you can also find all created certificates in /etc/ssl/nwl/newcerts, where they are named by their serial.):

# openssl ca -revoke wiki.nwl.crt

after that, one needs to recreate the crl file:

# openssl ca -gencrl -out crl.pem

There is no way to edit an already existing certificate (and having it automatically resigned by the CA afterwards), so a matching CSR has to be created first:

# openssl x509 -x509toreq -in wiki.nwl.crt -out wiki.nwl.csr -signkey wiki.nwl.key

In order to keep the certificate DB sane, openssl enforces to revoke the old certificate before the new one can be signed:

# openssl ca -revoke wiki.nwl.crt
# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt

Was not necessary yet, but for instructions see this link: http://marc.info/?l=openssl-users&m=113292902213919

This is quite easy. CRLs simply need to be recreated after some time (and should then be made accessible, of course). To do so:

# openssl ca -gencrl -out crl.pem

Usually certificates and revocation lists are being looked up by their hash. Ideally one creates a symlink therefore:

# ln -s wiki.nwl.crt $(openssl x509 -noout -hash -in wiki.nwl.crt).0
# ln -s crl.pem $(openssl crl -noout -hash -in crl.pem).r0

Note the mandatory suffixes .0 for certificates and .r0 for revocation lists.

Sometimes you need a so called Pem-File, which contains both key and certificate. Creating it is very simple though:

• create a key and certificate signing request
• sign the request, generating the certificate
• use cat to put them together in one singe file:

cat bincimap.key bincimap.crt >> bincimap.pem

To get the Browser trust your own CA, the CA certificate must be imported into it.

Praktically all browsers check the CN of the certificate offered whether it matches the hostname requested. This is also the reason, why virtual hosting for ssl-hosts does not work.

• http://gagravarr.org/writing/openssl-certs/ca.shtml