====== OpenSSL ======

===== Generating a Self-Signed Certificate =====

<code>
# One-liner
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes \
-subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Pocket Theories/OU=IT/CN=myserver"

# ...or, in separate steps

# Create a key (genrsa - deprecated in favor of genkpkay in OpenSSL 3)
openssl genrsa -aes128 -out my_server.key 4096  # -aes128 instead of -des3 is recommended

# Create a key (genpkey)
openssl genpkey -aes-128-cbc -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out a.key


# Create a CSR
openssl req -new -key my_server.key -out my_server.csr -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \
-subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Pocket Theories/OU=IT/CN=myserver" -addext "extendedKeyUsage=serverAuth" \
-addext "keyUsage=critical,digitalSignature,keyEncipherment"

# Create certificate
openssl x509 -in my_server.csr -out my_server.crt -req -signkey my_server.key -days 3650
</code>

===== Generating a CA and Certificate =====

<code>
# Create a CA
openssl req -newkey rsa:2048 -new -x509 -sha256 -extensions v3_ca -out ca.cert -keyout ca.key \
-subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Pocket Theories/OU=IT/CN=ca" -nodes -days 3650

# Create a CSR
openssl req -sha256 -nodes -newkey rsa:2048 -keyout myserver.key -new -out myserver.csr -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=Pocket Theories/OU=IT/CN=localhost/emailAddress=nitin@nospam.com" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" -addext "extendedKeyUsage=serverAuth,clientAuth" -addext "keyUsage=critical,digitalSignature,keyEncipherment"

# Create certificate
sudo openssl ca -in myserver.csr -out myserver.cert -keyfile ca.key -cert ca.cert -outdir . -batch -days 3650 -copy_extensions copyall
# (un-comment "copy_extensions=copy" in openssl.cnf, or use "-copy_extensions copyall")
</code>

===== Validating a Certificate and Key are a match =====

<code>
# Get the MD5 for modulus of both files and compare
openssl x509 -noout -modulus -in file.cert | openssl md5
openssl rsa -noout -modulus -in file.key | openssl md5
</code>

===== Using a Config File =====

<code>
cat > myopenssl.cnf << EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=$dir/index.txt
new_certs_dir=$dir/newcerts
serial=$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=IN
ST=Maharashtra
L=Mumbai
OU=Pocket Theories
CN=*.$1
emailAddress=nitin@nospam.org
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF

# openssl req ... -config myopenssl.cnf
# openssl ca ... -config myopenssl.cnf
</code>

===== ECDSA keys =====

<code>
# ECDSA lets you use shorter keys while getting the same level of security as RSA.

# Within "openssl req"
openssl req ... -newkey ec -pkeyopt ec_paramgen_curve:secp521r1

# Some would avoid using "nistp256, nistp384, nistp521" and instead use "Curve25519" due to bad actors at NSA. 
openssl genpkey -algorithm EC -out some_x25519.key -pkeyopt ec_paramgen_curve:X25519 -pkeyopt ec_param_enc:named_curve
</code>

===== Key file formats =====

<code>
PKCS1
-----BEGIN RSA PRIVATE KEY-----

PKCS8
-----BEGIN PRIVATE KEY-----

PKCS8 Encrypted
-----BEGIN ENCRYPTED PRIVATE KEY-----

# Convert PKCS1 to PKCS8
openssl pkcs8 -topk8 -inform pem -in file.key -outform pem -nocrypt -out file.pem

# Convert PKCS8 to PKCS1
openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem -traditional
# -traditional is needed for OpenSSL 3.0+
</code>