openssl x509 –in input.pem –inform PEM -out output.der –outform DER openssl x509 –in input.der –inform DER -out output.pem –outform PEM
For the openssl category
Creating a server certificate involves only a few steps. To do so, execute the following commands. This post assumes that “OpenSSL initial configuration” and “Creating a ca’s self signed certificate” has been done previously.
Create a private key for the server. This can be accomplished using any user. The secret key, server.key, must be well protected.
openssl genrsa -des3 -out server.key 1024
Create the certificate request. This can be accomplished using any user. The common name (CN) should be the URL of the server. Otherwise, users will get a warning message that the server URL does not match the URL in the certificate.
openssl req -new -key server.key -out server.csr
Create and sign the certificate (change NN for the next certificate serial number available!). You must be logged in as ca to perform this operation. serverNN.crt is the server certificate.
openssl x509 -req -days 365 -in server.csr -CA certs/cacert.pem -CAkey private/cakey.pem -set_serial NN -out serverNN.crt
In order to create your own certificates, you need a CA (certificate authority) certificate. This certificate will be used to sign every certificate you will create. To do so, execute the following command. This post assumes that “OpenSSL initial configuration” has been done previously.
- Logon with the user ca
- Go in its home directory and issue the command
openssl req -new -x509 -keyout private/cakey.pem -out certs/cacert.pem -days 3650
It is a good practice to put the private key on a removable media and load it only when signing new certificates. Do not loose it. It is the most important piece of data related to your certificates.
This initial configuration procedure assumes that you are executing it on Linux
- Create a special user named ‘ca’. Its home directory will hold the data. It must protected carefully. For example:
groupadd -g 2000 ca useradd -g 2000 -u 2000 -m -s /bin/bash ca chmod 700 /home/ca
- Change the variable dir in /etc/ssl/openssl.cnf for the home directory of the ca user just created.
- The default values used for the certifcate requests can be changed in /etc/openssl.cnf such as countryName_default, stateOrProvinceName_default and 0.organizationName_default
- Logon with the user ca
- mkdir private certs reqs
- chmod 700 private certs reqs