Jun 22, 2020 · The official documentation on the openssl_certificate module. openssl_dhparam – Generate OpenSSL Diffie-Hellman Parameters The official documentation on the openssl_dhparam module. openssl_pkcs12 – Generate OpenSSL PKCS#12 archive The official documentation on the openssl_pkcs12 module. openssl_privatekey – Generate OpenSSL private keys

openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \ -CA cacert.pem -CAkey key.pem -CAcreateserial Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" openssl x509 -in cert.pem -addtrust sslclient \ -alias "Steve's Class 1 CA" -out trust.pem References¶. http://www.openssl.org/docs/apps/config.html; http://www.openssl.org/docs/apps/req.html#CONFIGURATION_FILE_FORMAT; http://www.openssl.org/docs/apps #openssl ca -policy policy_anything -config -out windows_server.crt -extensions some_ext -extfile some_extensions.txt -infiles cert_request.csr provided, you have created a file named "some_extensions.txt" on the same directory and it has got the required extensions the windows box required. id-ce-keyUsage This extension indicates the purpose for which the certified public key is used. This extension may, at the option of the certificate issuer, be either critical or non-critical. >> OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate >> generated through MS Certificate Server has Key Encipherment (a0). > > What do you get in the keyUsage extension when you do: > > openssl x509 -in cert.pem -noout -text > openssl shows "Key Encipherment" for both certifcates. Is the e0/a0 issue a MS undocumented "feature"? Type openssl req -new -key privkey.pem -out request.csr This command generates a CSR in the PEM format in your current working directory. When you are prompted for the x509 Common Name attribute information, type your fully-qualified domain name (FQDN). Use other information as appropriate. # cd /root/ca # openssl req -config openssl.cnf \-key private/ca.key.pem \-new -x509 -days 7300-sha256 -extensions v3_ca \-out certs/ca.cert.pem Enter pass phrase for ca.key.pem: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request.

Jun 23, 2020 · openssl genrsa -out dev.deliciousbrains.com.key 2048 Then we create a CSR: openssl req -new -key dev.deliciousbrains.com.key -out dev.deliciousbrains.com.csr You’ll get all the same questions as you did above and, again, your answers don’t matter.

# This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash: authorityKeyIdentifier=keyid,issuer Here's an example for adding a set of S/MIME client capability extensions when signing an S/MIME user cert, taken from an example on the OpenSSL mailing list: [my_cert_extensions] basicConstraints = CA:FALSE keyUsage = critical, keyEncipherment, dataEncipherment SMIME-CAPS = ASN1:SEQUENCE:smime_seq subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ smime_seq ] SMIMECapability These purposes may be specified in addition to those of the KeyUsage extension, or in place of those. The ASN.1 definition of the ExtendedKeyUsage extension is specified as follows: ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER Key purposes may be defined by any organization with a need. [ usr_cert ] basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer

#openssl ca -policy policy_anything -config -out windows_server.crt -extensions some_ext -extfile some_extensions.txt -infiles cert_request.csr provided, you have created a file named "some_extensions.txt" on the same directory and it has got the required extensions the windows box required.

id-ce-keyUsage This extension indicates the purpose for which the certified public key is used. This extension may, at the option of the certificate issuer, be either critical or non-critical. >> OpenSSL has Key Encipherment (e0) as a Key Usage, while a certificate >> generated through MS Certificate Server has Key Encipherment (a0). > > What do you get in the keyUsage extension when you do: > > openssl x509 -in cert.pem -noout -text > openssl shows "Key Encipherment" for both certifcates. Is the e0/a0 issue a MS undocumented "feature"? Type openssl req -new -key privkey.pem -out request.csr This command generates a CSR in the PEM format in your current working directory. When you are prompted for the x509 Common Name attribute information, type your fully-qualified domain name (FQDN). Use other information as appropriate. # cd /root/ca # openssl req -config openssl.cnf \-key private/ca.key.pem \-new -x509 -days 7300-sha256 -extensions v3_ca \-out certs/ca.cert.pem Enter pass phrase for ca.key.pem: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request.