Differences

This shows you the differences between two versions of the page.

--- certificates:certificates_guide [2022/09/07 13:54] – bstafford
+++ certificates:certificates_guide [2025/07/10 19:00] (current) – [Strip Password from Base64] bstafford
@@ Line 4: / Line 4: @@
 Extra info can also be found on [[http://www.sslshopper.com/article-most-common-openssl-commands.html|Certificates]] and [[https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html|Keystores]] and [[https://www.sslshopper.com/ssl-converter.html|Converting]].
+=====Strip Password from Base64=====
+Strip a password from a Base64 file that has both certificate and key.
+<code>openssl rsa -in [file1.key] -out [file2.key]</code>
 =====Add Password to Base64=====
 Add a password to a Base64 file that is not
@@ Line 11: / Line 14: @@
 <code>sudo cat /etc/nginx/certs/intermediate.pem >> /etc/nginx/certs/certfile.pem</code>
 <code>sudo systemctl restart nginx</code>
-=====Strip Password from Base64=====
-Strip a password from a Base64 file that has both certificate and key.
+===== Create Root CA and Web Cert =====
-<code>openssl rsa -in [file1.key] -out [file2.key]</code>
+Generate Private Key:
+<code>openssl genrsa -out myCA.key 2048</code>
+Create Self-Signed Certificate:
+<code>openssl req -new -x509 -days 3650 -key myCA.key -out myCA.pem -subj "/C=GB/O=Vendor/CN=Lab Root CA" -addext "keyUsage = critical, keyCertSign, cRLSign"</code>
+Verify Certificate:
+<code>openssl x509 -in myCA.pem -text -noout</code>
+Create Web Certificate and Key
+<code>certtool --generate-certificate --outfile webserver.pem --load-ca-certificate myCA.pem --load-ca-privkey myCA.key --load-privkey webserver.key</code>
+CAs should include a Subject Key Identifier in all CA certificates.
+Create web Certificate Signing Request AND new key
+<code>openssl req -newkey rsa:2048 -keyout webserver.key -out webserver.csr</code>
 =====SSL Info=====
 Certificate information is of the following form
@@ Line 153: / Line 174: @@
 To extract the key and certificate from a PFX file, run the following openssl command. If the cert.pfx file has a password, the command above will prompt you to enter the password. It will then generate details.txt. You have to open details.txt in a text editor.
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -out /home/user/documents/details.txt -nodes -legacy</code>
 You will see the private key (without a password) between
 <code>-----BEGIN PRIVATE KEY-----</code>
@@ Line 170: / Line 191: @@
 **Extract Private Key from PFX**
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nocerts -out /home/user/documents/private-key.pem -legacy</code>
 **Extract Certificate from PFX**
-<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem</code>
+<code>openssl pkcs12 -in /home/user/documents/cert.pfx -nokeys -out /home/user/documents/certificate.pem -legacy</code>