Working With Certificates and OpenSSL

In 2018 SSL is a fact of life everywhere. Below are a couple of common useful tips:

 

Generating a CSR and key from a bash script:

 


#!/bin/bash
#Written By rich.staats@metaltoad.com
#Last Modified April 20, 2016
#Auto-Generate CSR and Key file for SHA-256 SSL Certs

#Required Site Info
sitename=$1
commonname=$sitename

#Check for Site Name, If missing error output will be displayed
if [ -z "$sitename" ]
then
	echo "Error! No site name provided, please provide a sitename after typing newcert.sh. ex: newcert.sh mysite.com"
	exit 99
fi

#Generate CSR and Key
openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout ~/$sitename.key -out ~/$sitename.csr

#Show CSR to copy and Paste
echo "Your request completed successfully, copy the CSR below and use a certificate provider to generate an SSL certificate from this CSR"
cat ~/$sitename.csr

Comparing a newly issues crt to its keyfile to ensure they match:


openssl x509 -noout -modulus -in mydomain.com.crt | openssl md5
openssl rsa -noout -modulus -in mydomain.com.key | openssl md5

The output from these should be a matching MD5 string, if the values do not match you have a cert/key mismatch.

Converting crt and key to pfx:


openssl pkcs12 -export -out mydomain.com.pfx -inkey mydomain.com.key -in mydomain.com.crt

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 11 =