OpenSSL

Browse posts by tag

OpenSSL - Verify Certificate

April 24, 2025

Verify the certificate

openssl x509 -in server/certs/client.crt -text -noout
openssl x509 -in server/certs/server.crt -text -noout

Verify the certificate chain

# First, concatenate the CA certificates (leaf to root)
cat mid-ca.crt ca.cert > ca-bundle.crt

# Then verify using the chain file
openssl verify -CAfile ca-bundle.crt server/certs/client.crt
openssl verify -CAfile ca-bundle.crt server/certs/server.crt

See also:

OpenSSL - Initial Setup

OpenSSL (1) - Root CA

OpenSSL (2) - Intermediate CA

OpenSSL (3) - Server Certificate

OpenSSL (4) - Client Certificate

April 24, 2025

Create a Client Certificate

1. Generate a client key file

openssl genrsa -out server/private/client.key 2048

2. Generate a client Certificate Signing Request (CSR)

openssl req -config mid-ca/mid-ca.conf -key server/private/client.key -new -sha256 -out server/csr/client.csr

e.g., CN=GCS-Client-Certificate-v0x

3. Sign the client CSR using the client_cert extension

openssl ca -config mid-ca/mid-ca.conf -extensions client_cert -days 3650 -notext -in server/csr/client.csr -out server/client-certs/client.crt

4. Generate client PFX (if needed)

openssl pkcs12 -inkey server/private/client.key -in server/client-certs/client.crt -export -out server/client-certs/client.pfx -passout pass:

See also:

Download from CloudShell

OpenSSL - Initial Setup

March 10, 2025

OpenSSL Initial Setup

1. Create a folder structure

mkdir -p certs/{ca,mid-ca,server}/{private,certs,newcerts,crl,csr}

2. Change the permissions

chmod -v 700 certs/{ca,mid-ca,server}/private

3. Create index files

touch certs/{ca,mid-ca}/index

4. Set a serial number

openssl rand -hex 16 > certs/ca/serial
openssl rand -hex 16 > certs/mid-ca/serial

5. Copy and place the configuration files

ca.conf - mid-ca.conf

See also:

OpenSSL - Initial Setup

OpenSSL (1) - Root CA

OpenSSL (2) - Intermediate CA

OpenSSL (3) - Server Certificate

OpenSSL (3) - Server Certificate

February 9, 2025

Create a Server Certificate

1. Generate a key file (It can be one-off operation)

openssl genrsa -out server/private/server.key 2048

2. Generate a Certificate Signing Request (CSR)

openssl req -config mid-ca/mid-ca.conf -key server/private/server.key -new -sha256 -out server/csr/server.csr

e.g., CN=GCS-Server-Certificate-v0x

3. Sign the request (CSR) by Sub-CA

openssl ca -config mid-ca/mid-ca.conf -extensions server_cert -days 3650 -notext -in server/csr/server.csr -out server/certs/server.crt

4. Generate PFX with NO password

openssl pkcs12 -inkey server/private/server.key -in server/certs/server.crt -export -out server/certs/server.pfx -passout pass:

5. Result

OpenSSL (2) - Intermediate CA

February 9, 2025

Create a “Intermediate CA” certificate

1. Generate a key file for “Intermediate CA”

openssl genrsa -aes256 -out mid-ca/private/mid-ca.key 4096

2. Change the permission of mid-ca.key

chmod 400 mid-ca/private/mid-ca.key

3. Generate a Certificate Signing Request (CSR)

openssl req -config ca/ca.conf -new -key mid-ca/private/mid-ca.key -sha256 -out mid-ca/csr/mid-ca.csr

4. Sign the request file by Root-CA

openssl ca -config ca/ca.conf -extensions v3_mid_ca -days 3650 -notext -in mid-ca/csr/mid-ca.csr -out mid-ca/certs/mid-ca.crt

5. Change the permission of mid-ca.crt

chmod 444 mid-ca/certs/mid-ca.crt

6. Check a backup file created in newcerts dirctory

OpenSSL (1) - Root CA

February 9, 2025

Create a “Root CA” certificate

1. Generate a key file for “Root CA”

openssl genrsa –aes256 -out ca/private/ca.key 4096

2. Change the permission of ca.key

chmod 400 ca/private/ca.key

3. Check the content of ca.key

openssl rsa -noout -text -in ca/private/ca.key

4. Generate a certificate file for “Root CA”

openssl req -config ca/ca.conf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/certs/ca.crt

5. Change the permission of ca.crt

chmod 444 ca/certs/ca.crt

6. Check the contents of ca.crt

openssl x509 -noout -text -in ca/certs/ca.crt

See also:

OpenSSL - Initial Setup