B OpenSSL Cheatsheet

It is possible to use openssl to perform basic PKI functions. This cheat sheet shows common openssl operations needed to create certificate authorities, to sign certificate requests, generate private keys, strip passphrases, etc. The intended audience of this appendiix is developers or testers who need to quickly create certificates and keys to verify or execute security guide procedures. Customer deployments with use a PKI system with these capabilities built in, or will use an internal CA to manage important certificate lifecycle operations.

1. Create CA Certificate Private Key

   $ openssl genrsa 2048 >
             ca-key.pemGenerating RSA private key, 2048 bit long modulus
            ............................................................................+++
            .......+++
            e is 65537 (0x10001)

2. Create CA Certificate

   $ openssl req -new -x509 -nodes
             -days 3600 -key ca-key.pem -out ca.pem You are about to be
             asked to enter information that will be incorporated into your certificate request.
             What you are about to enter is what is called a Distinguished Name or a DN.
             There are quite a few fields but you can leave some blank
             For some fields there will be a default value,
             If you enter '.', the field will be left blank.
             -----  
             Country Name (2 letter code) [XX]:US
             State or Province Name (full name) []:NC
             Locality Name (eg, city)[Default City]:Morrisville
             Organization Name (eg, company) [Default Company Ltd]:Oracle Corporation Inc
             Organizational Unit Name (eg, section) []:CGBU
             Common Name (eg, your name or
             your server's hostname) []:exampleDbCa
             Email Address []:

3. Create a Certificate Signing Request and Sign It

   $ openssl req -newkey rsa:2048
             -days 30 -nodes -keyout server-key.pem -out server-req.pem  Generating a 2048 bit RSA private
             key................+++....................................................................................................+++
              writing new private key to 'server-key.pem'
              -----
             You are about to be asked to enter
             information that will be incorporatedinto your certificate request.
             What you are about to enter is what is called a Distinguished Name or a DN.
             There are quite a few fields but
             you can leave some blankFor some fields there will be a default value,
             If you enter '.', the field will be left
             blank.
             -----
             Country Name (2 letter code) [XX]:US
             State or Province Name (full name) []:NC
             Locality Name (eg, city)
             [Default City]:Morrisville
             Organization Name (eg, company) [Default Company Ltd]:Oracle Corporation Inc
             Organizational Unit Name (eg, section) []:CGBU
             Common Name (eg, your name or your server's hostname) []:mysql-1.example.com
             Email Address []:
             Please enter the following 'extra'attributes
             to be sent with your certificate request
             A challenge password[]:OccneNextGenCne
             An optional company name []:

4. Strip the Passphrase from a CSR

   $ openssl rsa -inserver-key.pem -out server-key.pem 
            writing RSA key

5. Create a Signed Certificate

   $ openssl x509 -req -inserver-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial
             01 -out server-cert.pem 
             Signature ok
             subject=/C=US/ST=NC/L=Morrisville/O=Oracle Corporation Inc/OU=CGBU/CN=OccneDataTierMySQLNDB
             Getting CA Private Key

6. Verify Certificate / Key pair

   $ openssl verify -CAfile ca.pem server-cert.pem client-cert.pem  
            /var/occnedb/opensslcerts/server-cert.pem:OK
            /var/occnedb/opensslcerts/client-cert.pem:OK