A Certificate Signing Request (CSR) is one of the first steps towards getting your own SSL Certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate. In other way, a CSR is an encoded file that provides you with a standardized way to send DigiCert your public key as well as some information that identifies your company and domain name.
Private Keys and Public Keys terms are used in encryption and decryption. These keys are used to encrypt/decrypt sensitive information.
Private Key
The private key is used to both encrypt and decrypt the data. This key is shared between the sender and receiver of the encrypted sensitive information. The private key is also called symmetric being common for both parties. Private key cryptography is faster than public-key cryptography mechanism.
Public Key
The public key is used to encrypt and a private key is used decrypt the data. The private key is shared between the sender and receiver of the encrypted sensitive information. The public key is also called asymmetric cryptography.
The following are some of the important differences between Private Key and Public Key.
Generate a Private Key and a CSR together
[root@ ~]# openssl req -new -newkey rsa:2048 -nodes -keyout server5308.key -out server5308.csr
Generating a 2048 bit RSA private key
..................................................................................................+++
writing new private key to 'dewaserv5308.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:AE
State or Province Name (full name) []:DXB
Locality Name (eg, city) [Default City]:Dubai
Organization Name (eg, company) [Default Company Ltd]:XYZ
Organizational Unit Name (eg, section) []:AMI
Common Name (eg, your name or your server's hostname) []:xyz.smartgrid.local
Email Address []:xyz@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xdsarrdddd
An optional company name []:XYZ
Generate a CSR from an Existing Private Key
if you already have a private key of the server
[root@ ~]# openssl req -key server5308.key -new -out server5308.csr
Generate a CSR from an Existing Certificate and Private Key
if you already have a private key and Certificate of the server
[root@ ~]# openssl x509 -in server5308.crt -signkey server5308.key -x509toreq -out server5308.csr
Generate a Self-Signed Certificate and private key
[root@ ~]#openssl req -newkey rsa:2048 -nodes -keyout server5308.key -x509 -days 365 -out server5308.crt
Generate a Self-Signed Certificate from an Existing Private Key
if you already have a private key of the server
[root@ ~]# openssl req -key server5308.key -new -x509 -days 365 -out server5308.crt
Generate a Self-Signed Certificate from an Existing Private Key and CSR
if you already have a private key and CSR of the server
[root@ ~]# openssl x509 -signkey server5308.key -in server5308.csr -req -days 365 -out server5308.crt
View CSR entries
[root@ ~]#openssl req -text -noout -verify -in server5308.csr
View private key entries
[root@ ~]#openssl rsa -check -in server5308.key
View Certificate Entries
[root@ ~]#openssl x509 -text -noout -in server5308.crt
Verify a Certificate was Signed by a CA
[root@ ~]#openssl verify -verbose -CAFile ca.crt server5308.crt
[root@ ~]#openssl verify -CAfile cacert.pem xyz.smartgrid.local.pem
Verify a Private Key Matches a Certificate and CSR
[root@ ~]#openssl rsa -noout -modulus -in server5308.key | openssl md5
[root@ ~]#openssl x509 -noout -modulus -in server5308.crt | openssl md5
[root@ ~]#openssl req -noout -modulus -in server5308.csr | openssl md5
Check the issuer and CN(common name)
[root@ ~]#cd /etc/httpd/ssl
[root@ ~]#openssl x509 -in xyz.smartgrid.local.pem -noout -subject
[root@ ~]#openssl x509 -inxyz.smartgrid.local.pem -noout -issuer -subject
Creating pkcs file
[root@ ~]#openssl pkcs12 -export -in xyz.smartgrid.local.pem -inkey xyz.smartgrid.local.key -out xyz.smartgrid.local.p12
[root@ ~]#openssl pkcs12 -export -in xyz.smartgrid.local.pem -inkey xyz.smartgrid.local.key -out xyz.smartgrid.local.p12 -chain -CAfile cacert.pem
No comments:
Post a Comment