Handling Keys and CSRs and Certificates

I pulled out creating CSRs to its own page as it's one of the most common things people need to do. But there are other things end-users of SSL might want to do. This aims to be a collection of useful bits.

Keys

• Create a key
  openssl req -new -keyout my.key -out my.req
• Examine a key
  openssl rsa -noout -text -in my.key
  Note that for DSA keys, use the "dsa" sub-command of openssl instead.

CSRs

• Create a CSR and private key
  openssl req -newkey rsa:2048 -keyout my.key -out my.csr
• Create a CSR from an existing private key
  openssl req -key my.key -out my.csr
• Examine a CSR
  openssl req -noout -text -in my.csr
• Verify a CSR (verify the signature - not very often needed)
  openssl req -verify -noout -text -in my.csr

Certificates

• Examine a certificate
  openssl x509 -noout -text -in my.crt
• Verify a certificate against a CA
  openssl verify -CAfile cacert.pem my.crt
• Verify a certificate against a CA-chain (for when your cert was issued by a subordinate CA)
  cat ca_root.pem ca_1.pem ca_2.pem ca_3.pem ... > ca_bundle.crt
openssl verify -CAfile ca_bundle.crt my.crt
• Get the "hash" of a certificate. When using the "-CApath" option, openssl (and other software), will look for certificates in the directory by hash, expecting the filenames to be this value.
  openssl x509 -noout -hash -in my.crt