Jin's Knowledge Base

$ openssl genrsa -aes256 -out server.key 2048 
$ openssl req -new -key server.key -out server.csr 
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

# Generate client key file. Give no password or a password to protect private key 
$ openssl genrsa -aes256 -out user.key [ -passout pass:PASSWORD | -nodes ] 2048 
# Remove password for shared password if required 
$ openssl rsa -in user.key -out user_nopass.key 
# Generate CSR 
$ openssl req -new -key user.key -out user.csr [ -passin pass:PASSWORD ] [ -config user.txt ] 
# Combination of above steps 
$ openssl req -out user1.csr -new -newkey rsa:2048 -keyout user1.key -config user1.txt [ -aes256 | -nodes] [ -passout pass:PASSWORD ] 
# Use root CA to issue the certificate. NOTE: the option is case-sensitive. 
$ openssl x509 -req -days 365 -in user.csr -CA server.crt -CAkey server.key [ -set_serial 01 ] -out user1.crt [ -passin pass:PASSWORD ] -CAserial file.srl </code>

# Convert DEM certs to different formats 
$ openssl x509 -inform der -in user.crt -out user.pem 
# Convert PEM to DEM 
$ openssl x509 -outform der -in user.pem -out user.der 
# Convert PEM to PKCS#12 
$ openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile server.crt