Common OpenSSL Commands
Spoiler Alert: Almost nobody remembers the arcane commands that make computers go unless they’re used all the time. When McGee on NCIS (or any other famous TV computer expert) uses a Commodore 64 and a modem to hack the NSA from memory in a couple of minutes, that’s acting. In real life, you would need nearly a half hour and a laptop made within the past 5 years. Naturally, real experts never look anything up so hacking the NSA from memory is pretty realistic if you use the correct equipment. Any expert can do it. (Just kidding.)
Seriously, computers are like anything else. The half-life of information you don’t use very often is pretty short, especially when it comes to the commands necessary to create certificates using OpenSSL. Few things are more cryptic to the average home network administrator. The recent Heartbleed scare forced me to re-create several certificates, although I seriously doubt anyone hacked into any server over here. I did it for the experience and was rather surprised at how much I had forgotten over the past few months.
Fortunately, I had this on-line book as a reference along with the handy little text file I referred to frequently when I first wrote the SSL oriented articles. Rebuilding the OpenSSL certificate files became an exercise in copy and paste.
How the Experts Really Do It
In real life, you remember the things you frequently do and sometimes remember the things you do on an irregular but repeating basis. You look up the rest. This doesn’t mean you start from scratch every time you need to refresh your memory. It hopefully means you know where to quickly pick up the missing bits and pieces so you can continue with the major task at hand. Little text files with commonly used commands are very popular if your work involves precise recall and entry of details most people find mind-numbing.
Here’s my OpenSSL text file. I made much of it via copy and paste from articles in Advanced Home Server and used copy and paste from many articles into a command window (elevated with administrator privileges) to make various keys and certificates.
This is a basic command window. Please note it was opened with Administrator privileges. OpenSSL will choke if you don’t have the proper security level when you work with it.
Just in case you don’t feel like typing them in, here’s a text version. The explanations for why you would use any of them are in the articles. Creating a text file like one above is recommended after you decide which commands are important for your network.
Create key for new certificate authority
openssl genrsa -out ca.key 2048
Create certificate for certificate authority using CA key
openssl req -new -key ca.key -out CA.crt -x509 -days 3650
Use CA certificate and key to sign CSR from IIS
Openssl x509 -req -days 1825 -in iis-csr.txt -CA ca.crt -CAkey ca.key -CAcreateserial -out IIS.cer
Create key for client certificate
openssl genrsa -out client.key 2048
Create certificate signing request using client key
openssl req -new -out client.csr -key client.key
Create signed client certificate using CSR and certificate authority certificate and key
Openssl x509 -req -days 1825 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
convert client certificate and key to P12 format
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12
Convert p12 format certificate to pem format
openssl pkcs12 -in client.p12 -out client.pem -clcerts
OpenSSL has a rich command structure. I only use a few of them and often in limited ways, but these are all I need to suit my purposes.
Of course, these instructions don’t apply to qualified TV and movie hackers. Give one enough screen time and he/she could talk to martians or crack the CIA mainframe using a no-contract cell phone, unlimited text and data, a couple of open source apps, and a can of Red Bull.