Differences

This shows you the differences between two versions of the page.

--- certificates:certificates_guide [2022/09/07 08:31] – bstafford
+++ certificates:certificates_guide [2025/07/10 19:00] (current) – [Strip Password from Base64] bstafford
@@ Line 4: / Line 4: @@
 Extra info can also be found on [[http://www.sslshopper.com/article-most-common-openssl-commands.html|Certificates]] and [[https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html|Keystores]] and [[https://www.sslshopper.com/ssl-converter.html|Converting]].
-=====Add Password to Base64=====
-Add a password to a Base64 file that is not
-<code>openssl rsa -aes256 -in your.key -out your.encrypted.key</code>
 =====Strip Password from Base64=====
 Strip a password from a Base64 file that has both certificate and key.
 <code>openssl rsa -in [file1.key] -out [file2.key]</code>
+=====Add Password to Base64=====
+Add a password to a Base64 file that is not
+<code>openssl rsa -aes256 -in your.key -out your.encrypted.key</code>
+===== Make LetsEncrypt Cert a Full Chain=====
+This is on Nginx and we append intermediate.pem to the end of certfile.pem
+<code>sudo cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem</code>
+<code>sudo systemctl restart nginx</code>
+===== Create Root CA and Web Cert =====
+Generate Private Key:
+<code>openssl genrsa -out myCA.key 2048</code>
+Create Self-Signed Certificate:
+<code>openssl req -new -x509 -days 3650 -key myCA.key -out myCA.pem -subj "/C=GB/O=Vendor/CN=Lab Root CA" -addext "keyUsage = critical, keyCertSign, cRLSign"</code>
+Verify Certificate:
+<code>openssl x509 -in myCA.pem -text -noout</code>
+Create Web Certificate and Key
+<code>certtool --generate-certificate --outfile webserver.pem --load-ca-certificate myCA.pem --load-ca-privkey myCA.key --load-privkey webserver.key</code>
+CAs should include a Subject Key Identifier in all CA certificates.
+Create web Certificate Signing Request AND new key
+<code>openssl req -newkey rsa:2048 -keyout webserver.key -out webserver.csr</code>
 =====SSL Info=====
 Certificate information is of the following form
@@ Line 149: / Line 174: @@
 To extract the key and certificate from a PFX file, run the following openssl command. If the cert.pfx file has a password, the command above will prompt you to enter the password. It will then generate details.txt. You have to open details.txt in a text editor.
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes -legacy</code>
 You will see the private key (without a password) between
 <code>-----BEGIN PRIVATE KEY-----</code>
@@ Line 166: / Line 191: @@
 **Extract Private Key from PFX**
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem -legacy</code>
 **Extract Certificate from PFX**
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem -legacy</code>