OpenSSL cheat sheet

Key generation

Note on key parts

The "public" and the "private" key files do not form a relationship of reciprocally needed parts. The private key file always contains the public portion too. The public key file can always be regenerated from the private key file, like so:

25519 who?

(Thanks StackExchange)

Possible extensions values

Generation of S/MIME certificates

A case against using `openssl ca`

With the default openssl.cnf, openssl ca expects a certain directory structure (./demoCA/newcerts etc.) as it will auto-track serial number generation and indices. Below, we will look at manually managing absolutely every aspect without requiring any particular path. For absolutely quick-and-dirty CAs, all of the indexing can be ignored.

One-step generation of CA/self-signed certificate

  1. openssl req -x509 -nodes -newkey ed25519 -out myca.pem -keyout myca.key -days 365 -subj /O=CA -addext basicConstraints="critical,CA:TRUE" -addext nsCertType="sslCA,emailCA" -addext keyUsage=keyCertSign,cRLSign

Multi-step generation of CA/self-signed certificate

  1. Use genpkey from above for making myca.key.
  2. openssl req -nodes -out myca.req -newkey ed25519 -subj /O=CA -addext basicConstraints=critical,CA:true -addext nsCertType=sslCA,emailCA -addext keyUsage=keyCertSign,cRLSign
  3. openssl x509 -req -in myca.req -signkey myca.key -days 365 -copy_extensions copy -set_serial 1 -out myca.pem

Curious looking invocations

Generation of a CA-capable server certificate from Root CA

Generation of a client certificate tied to the server

System placement

On SUSE and/or where the ca-certificates package is installed, certificate files that should be globally available are to be copied into /etc/pki/trust/anchors (running update-ca-certificates seems optional, at least for processes that are purely libopenssl-based).