openssl – part 3

If you ever want to order an SSL certificate to certum, digicert, etc you have to follow these steps

1. creating private key

you need a private key in order to have an SSL Certificate working.the most important part is the private key ( you should keep this as secure as you can)

use this command to generate a Private Key

$ openssl genrsa -out /path/to/file.key 2048

this will create a key with RSA algorithm

2. Create a Certificate Request aka CSR

you need to create a CSR to get your certificate

$ openssl req -new -key /path/to/private.key -out /path/to/request.csr

after running this command, you will be asked for several information such as:

  • Country
  • Sate
  • City
  • Organization (name of company)
  • Organization Unit
  • Email (make sure you have access to this email, since the certificate provider is likely to access you with this email and obviously it should be an email on the selected domain so they could verify this domain is belong to you)

after this, you can send this CSR file (the usual extension for requests is csr) to certificate provider.they usually have some place you can upload this file or some text box which you can copy this file contents and paste.

After generating the CSR file, you can verify it too, so you know it contains your required information such as email, … with this

$ openssl req -noout -text -in request.csr -verify

In the process of obtaining a new certificate, they need to verify you domain.you should provide some way, so they know you own the domain.

  1. EMail: with providing an email on the domain, they will know this domain is belong to you. ex: admin@yourdomain.com . you just need to be sure you have access to the email
  2. DNS: if you dont have access to an email on that server or for some other reason, your email is not @yourdomain , they will give you a text.then you should add that text as TXT record on your domain DNS records.
  3. File: another way of record verification is by file.they will give a text file and you should put that file on the root of your website (or some other folder).

openssl – part 1

1) Generate an RSA key with 2048 bits.

$ openssl genrsa -out server.key 2048

2) Create an X509 self signed certificate(for development purposes and …)

$ openssl req -x509 -new -nodes -key server.key -sha256 -days 365 -out server.pem

3) Create a PKCS12 key store from private key and certificate

$ openssl pkcs12 -export -name server.cer -in server.pem -inkey server.key -out server.p12

openssl – part 2

usually when you get SSL Certificate, you will get multiple cert files which can be confusing.

they mostly contains a

  1. CA (Certificate Authority)
  2. Trusted Cgain
  3. Organizer
  4. domain cer (your main certificate file with your domain name on it)
  5. domain private key (your private key which you created when you where requesting for SSL

if you want to combine all of these certificate and create a so called certificate bundle or store, you should first concatenate ROOT certificate authority or CA file with chain 1 (Trusted Chain) and Chain 2 (Organizer).

$ cat chain1 chain2 root > bundle.cer

then you can verify it with

$ openssl verify -verbose -purpose sslserver -cafile bundle.cer domain.cer

now create a key store (PKCS12) from the bundle and private key

$ openssl PKCS12 -export -out domain.pfx -inkey private.key -in domain.cer -cert bundle.cer