Working with SSL Certificates

 An openssl cnf file. /etc/openssl.cnf

 The important part here is the /path/to/ca which should be wherever you put your initialized certificate authority.  (See create a certificate authority below)

# =================================================
# OpenSSL configuration file
# =================================================

RANDFILE         = /path/to/ca/.rnd

[ ca ]
default_ca       = CA_default

[ CA_default ]
dir              = /path/to/ca
certs            = $dir/certs
new_certs_dir    = $dir/newcerts
crl_dir          = $dir/crl
database         = $dir/index.txt
private_key      = $dir/private/cakey.pem
certificate      = $dir/cacert.pem
serial           = $dir/serial
crl              = $dir/crl.pem
RANDFILE         = $dir/private/.rand
default_days     = 365
default_crl_days = 30
default_md       = sha1
preserve         = no
policy           = policy_anything
name_opt         = ca_default
cert_opt         = ca_default

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName             = Country Name (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
localityName            = Locality Name (eg, city)
0.organizationName      = Organization Name (eg, company)
organizationalUnitName  = Organizational Unit Name (eg, section)
commonName              = Common Name (eg, YOUR name)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64

[ usr_cert ]
basicConstraints        = CA:FALSE
# nsCaRevocationUrl       = https://url-to-exposed-clr-list/crl.pem

[ ssl_server ]
basicConstraints        = CA:FALSE
nsCertType              = server
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, nsSGC, msSGC
#nsComment               = "OpenSSL Certificate for SSL Web Server"

[ ssl_client ]
basicConstraints        = CA:FALSE
nsCertType              = client
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
#nsComment               = "OpenSSL Certificate for SSL Client"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
basicConstraints        = CA:true
nsCertType              = sslCA
keyUsage                = cRLSign, keyCertSign
extendedKeyUsage        = serverAuth, clientAuth
#nsComment               = "OpenSSL CA Certificate"

[ crl_ext ]
basicConstraints        = CA:FALSE
keyUsage                = digitalSignature, keyEncipherment
#nsComment               = "OpenSSL generated CRL" 

Create a Certificate Authority (using CA.pl) -- !!! DO NOT USE CA.SH!!! -- and be sure you use the above openssl.cnf first.

cd /path/to/ca
CA.pl -newca 

Display the Contents of a SSL Certificate (various)

openssl x509 -in certificate.pem -noout -text
openssl req -in certificate.pem -noout -text 

Verify that a SSL Certificate Matches a Specific Key

(openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq 

If the certs match, then one hash will be emitted. If they dont, two will.

Create a Client Certificate

openssl req -new -sha1 -newkey rsa:1024 -nodes -keyout certificate.key -out certificate.csr -subj '/O=YourOrg/OU=YourOrgUnit/CN=Your Name' 
openssl ca -config /etc/openssl.cnf -policy policy_anything -extensions ssl_client -out certificate.crt -infiles certificate.csr 
openssl pkcs12 -export -clcerts -in certificate.crt --certfile /path/to/ca/cacert.pem -inkey certificate.key -out certificate.p12 -name "Your Name"

Create a Web Server CSR

openssl req -new -nodes -keyout www.example.org.key -out www.example.org.csr

Create a Web Server CSR When a Key Already Exists

openssl req -new -nodes -key www.example.org.key -out www.example.org.csr 

Self Sign a Web Server Certificate

openssl ca -config /etc/openssl.cnf -policy policy_anything -out www.example.org.crt -infiles www.example.org.csr

Renew a Certificate from a CSR

openssl ca -config /etc/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem -startdate [now] -enddate [previous enddate+365days]

Revoking Certificates

find the certificate id in index.txt (3rd column)
V	1802452345445Z		D8DA5000009A700	unknown	/C=CA/ST=.../L=..../O=YourOrg/CN=Your Name

openssl ca -config /etc/openssl.cnf -revoke /path/to/ca/newcerts/D8DA5000009A700.pem 

Publish a CRL

openssl ca -gencrl -crldays 365 -config /etc/openssl.cnf -out /path.to/ca/crl/yourcrlname-ca.crl