OpenSSL

Create a private key

To create a private encrypted key in PEM format:

_$: openssl genrsa -aes256 -out server.key 4096       (pass: ...)

Create private key without password

If you create a private key without a password, you do not need to introduce it, for instance, after rebooting your server. If, on the other hand, your private key is password-protected, you will need to manually introduce it after every restart. In any case, be aware of the security implications of each option.

_$: openssl genrsa -des3 -out server.key.pass 7096       (pass: ...)
_$: openssl rsa -in server.key.pass -out server.key      (pass: ...)

Create a self-signed certificate

Create the private key:

_$: openssl genrsa -des3 -out server.key 4096       (pass: ...)

Create the certificate sigining request:

_$: openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:                   (pass: ...)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Aragon
Locality Name (eg, city) []:Zaragoza
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Create a private key without not password-protected:

_$: cp server.key server.key.org
_$: openssl rsa -in server.key.org -out server.key      (pass: ...)

Sign the certificate with your private key:

_$: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Create a signed certificate

Create the certificate signing request:

a) If you already have a private key:

_$: openssl genrsa -des3 -out server.key 4096       (pass: ...)
_$: openssl req -new -key server.key -sha256 -out server.csr

b) If you do not already have a private key:

_$: openssl req -new -newkey rsa:4096 -nodes -keyout server.key -sha256 -out server.csr

After having created the signing request, you must send it to some certification company. This company will sign the certificate (with their own key) and will return you a number of files. If you have created a certificate request for www.domain.com you could receive something like:

Domain: www_domain_com.crt
Primary: PositiveSSLCA2.crt
Root: AddTrustExternalCARoot.crt

The order of the certificates must be always from the least authoritative to the most authoritative:

-----BEGIN CERTIFICATE-----
(Domain Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Secondary SSL Intermediate CA Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Primary  SSL Intermediate CA Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----

In our case, we did not receive a Secondary SSL Intermediate CA Certificate from the certification company, but you might have.

So let us create the certificate by concatenating all the files the company sent us in the proper order:

_$: cat www_domain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > domain-com.crt

Check

A private key:

_$: openssl rsa -in server.key -check

A certificate signing request:

_$: openssl req -text -noout -verify -in server.csr

A certificate signing request algorithm:

_$: openssl req -text -noout -verify -in server.csr | grep "Signature Algorithm"

A certificate:

_$: openssl x509 -text -noout -in server.crt

A certificate dates:

_$: openssl x509 -noout -in server.crt -dates

A certificate fingerprint:

_$: openssl x509 -in server.crt -noout -sha256 -fingerprint
_$: openssl x509 -in server.crt -noout -sha1   -fingerprint

A certificate in PKCS12 format

_$: openssl pkcs12 -info -in server.p12

A private key properly matches with a certificate:

_$: openssl x509 -noout -modulus -in certs/dovecot.pem | openssl md5
(stdin)= b0182da323e8e71a298bb7c7cc909428
_$: openssl rsa  -noout -modulus -in private/dovecot.pem | openssl md5
(stdin)= b0182da323e8e71a298bb7c7cc909428

A certificate created for another server:

(user@development)_$: openssl s_server -cert production.crt -key production.key -www
(user@development)_$: openssl s_client -connect localhost:4433

Instead of using openssl s_client you can also go to https://localhost:4433 using a web explorer and check the information there.

A certificate from a server:

_$: openssl s_client -showcerts -connect <server>:<port> < /dev/null
_$: openssl s_client -showcerts -connect web.domain.com:443 < /dev/null
_$: openssl s_client -showcerts -connect mail.domain.com:995 < /dev/null
_$: openssl s_client -showcerts -connect web.domain.com:443 < /dev/null  2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

The ciphers offered by a cipher string:

_$: openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL'

The digest list supported:

_$: openssl dgst --help
_$: man dgst

PEM - PKCS#12 conversion

PEM (Certificate + Key) to PFX

a) With Certificate Authority (CA)

_$: openssl pkcs12 -export -inkey requests/server.key -in requests/server.pem -certfile cacert.pem -out requests/server.pfx

b) Without Certificate Authority (CA)

_$: openssl pkcs12 -export -inkey server.key -in server.pem -out server.pfx

PFX to PEM

_$: openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

AES encryption

_$: openssl aes-256-cbc -in myfile.txt -out myfile.aes