Working with SSL Certificates

 An openssl cnf file. /etc/openssl.cnf

 The important part here is the /path/to/ca which should be wherever you put your initialized certificate authority.  (See create a certificate authority below)

# =================================================
# OpenSSL configuration file
# =================================================

RANDFILE = /path/to/ca/.rnd

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /path/to/ca
certs = $dir/certs
new_certs_dir = $dir/newcerts
crl_dir = $dir/crl
database = $dir/index.txt
private_key = $dir/private/cakey.pem
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
RANDFILE = $dir/private/.rand
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
name_opt = ca_default
cert_opt = ca_default

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[ usr_cert ]
basicConstraints = CA:FALSE
# nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
#nsComment = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
#nsComment = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints = CA:true
nsCertType = sslCA
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
#nsComment = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
#nsComment = "OpenSSL generated CRL"

Create a Certificate Authority (using CA.pl) -- !!! DO NOT USE CA.SH!!! -- and be sure you use the above openssl.cnf first.

cd /path/to/ca
CA.pl -newca

Display the Contents of a SSL Certificate (various)

openssl x509 -in certificate.pem -noout -text
openssl req -in certificate.pem -noout -text

Verify that a SSL Certificate Matches a Specific Key

(openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

If the certs match, then one hash will be emitted. If they dont, two will.

Create a Client Certificate

openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout certificate.key -out certificate.csr -subj '/O=YourOrg/OU=YourOrgUnit/CN=Your Name' 
openssl ca -config /etc/openssl.cnf -policy policy_anything -extensions ssl_client -out certificate.crt -infiles certificate.csr
openssl pkcs12 -export -clcerts -in certificate.crt --certfile /path/to/ca/cacert.pem -inkey certificate.key -out certificate.p12 -name "Your Name"

Create a Web Server CSR

openssl req -new -nodes -keyout www.example.org.key -out www.example.org.csr

Create a Web Server CSR When a Key Already Exists

openssl req -new -nodes -key www.example.org.key -out www.example.org.csr 

Self Sign a Web Server Certificate

openssl ca -config /etc/openssl.cnf -policy policy_anything -out www.example.org.crt -infiles www.example.org.csr

Renew a Certificate from a CSR

openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem -startdate [now] -enddate [previous enddate+365days]

Revoking Certificates

find the certificate id in index.txt (3rd column)
V 1802452345445Z D8DA5000009A700 unknown /C=CA/ST=.../L=..../O=YourOrg/CN=Your Name

openssl ca -config /etc/openssl.cnf -revoke /path/to/ca/newcerts/D8DA5000009A700.pem

Publish a CRL

openssl ca -gencrl -crldays 365 -config /etc/openssl.cnf -out /path.to/ca/crl/yourcrlname-ca.crl