OpenSSL cheat sheet

Key generation

openssl genpkey -algorithm ed25519 -out privkey.pem
openssl genpkey -algorithm rsa -pkeyopt bits:4096 -out privkey.pem
(Old-style) openssl genrsa -out privkey.pem 4096

Note on key parts

The "public" and the "private" key do not form a a relationship of reciprocally needy parts. That is, the possessor of the private key does not need the public key to perform operations. The public key is a subset of the private key, and the public key can always be regenerated from the private key:

Generate some RSA key:
openssl genpkey -algorithm rsa -pkeyopt bits:512 -out privkey.pem
Show components of "private":
openssl pkey -in privkey.pem -text
RSA has lots of parameters in contrast to X25519 or Ed25519.
Show components of "public" key:
openssl pkey -in privkey.pem -pubout | openssl pkey -pubin -text

25519 who?

Curve25519 is a curve.
X25519 is a Elliptic-Curve Diffie-Hellman (ECDH) protocol using the x coordinate of the curve Curve25519. [Not usable for making signature stuff.]
Ed25519 is an Edwards Digital Signature Algorithm using a curve which is birationally equivalent to Curve25519.

(Thanks StackExchange)

S/MIME cert generation

Generation of a self-signed certificate:
openssl req -x509 -out cert.pem -key privkey.pem -days 365 -subj "/CN=my@address.de" -addext subjectAltName="email:my@address.de" -addext basicConstraints="critical,CA:FALSE" -addext keyUsage="critical,digitalSignature,keyEncipherment" -addext extendedKeyUsage="clientAuth,emailProtection"
Generate PKCS#12 container:
openssl pkcs12 -export -out cert.pfx -in cert.pem -inkey privkey.pem -name "Descriptive Name (my@address.de)"
Windows/Outlook notes:
- Start the certificate manager: certmgr.exe currentUser
- Importing an Ed25519 certificate into the Trust Center is possible, but Windows does not know what to do with the item.
- Self-signed certificates such as that one need to be copied to the Trust CA Root
- While arbitrary PFX can be imported, only certificates with EKU "emailProtection" can be selected when trying to active certificate use in OL.
Grommunio notes:
- Imported an Ed25519 certificate into g-web settings is possible, but utilizing the certificate runs into problems (messages so signed/encrypted are empty as of g-web-3.9).

Case against using `openssl ca`

With the default openssl.cnf, openssl ca expects a certain directory structure (./demoCA/newcerts etc.) as it will auto-track serial number generation and indices. Below, we will look at manually managing absolutely every aspect without requiring any particular path. For absolutely quick-and-dirty CAs, all of the indexing can be ignored.

One-step generation of CA/self-signed certificate

openssl req -x509 -nodes -newkey ed25519 -out myca.pem -keyout myca.key -days 365 -subj /O=CA -addext basicConstraints="critical,CA:TRUE" -addext nsCertType="sslCA,emailCA"

Multi-step generation of CA/self-signed certificate

openssl req -nodes -out myca.req -newkey ed25519 -subj /O=CA -addext basicConstraints=critical,CA:true -addext nsCertType=sslCA,emailCA
openssl x509 -req -in myca.req -signkey myca.key -days 365 -copy_extensions copy -set_serial 1 -out myca.pem

Curious looking invocations

openssl req -x509: Asking the "req" subprogram to directly proceed to generation of an X.509 (rather than a CSR)
openssl x509 -req: Telling the "x509" subprogram that the -in input file is a CSR (rather than an X.509).

Generation of a CA-capable server certificate from Root CA

Assuming the server will be reached with https://127.0.0.2/ or e.g. mysql -h 127.0.0.2 …:
openssl req -nodes -newkey ed25519 -out mysrv.req -keyout mysrv.key -subj /CN=127.0.0.2 -addext basicConstraints=critical,CA:true -addext nsCertType=sslCA,emailCA,server,email
openssl x509 -CA myca.pem -CAkey myca.key -req -in mysrv.req -days 365 -copy_extensions copy -set_serial 2 -out mysrv.pem
Servers should emit the entire certificate chain to TLS clients when something connects, so generate one:
cat mysrv.pem myca.pem >mysrv.bnd

Generation of a client certificate tied to the server

openssl req -nodes -newkey ed25519 -out mycl.req -keyout mycl.key -subj /CN=someusername -addext basicConstraints=CA:false -addext nsCertType=client,email
openssl x509 -CA mysrv.pem -CAkey mysrv.key -req -in mycl.req -days 365 -copy_extensions copy -set_serial 3 -out mycl.pem
Clients may want to verify their own certificate standalone (without context to a connected server), so the chain should be available:
cat mycl.pem mysrv.pem myca.pem >mycl.bnd

System placement

On SUSE and/or where the ca-certificates package is installed, certificate files that should be globally available are to be copied into /etc/pki/trust/anchors (and running update-ca-certificates).