You are here: Home Cheat Sheets Certificate Management

Certificate Management

These instructions are snippets covering setting up and basic management of SSL certificates on a FreeBSD system.


Certificate Authority Setup

  • Setup the directory structure after editing the openssl.cnf
[root@snoopy /usr/local/openssl/misc]#./CA.pl -newca
  • Make the CA cert
[root@snoopy /usr/local/openssl/misc/demoCA]#openssl req -config ../../openssl.cnf -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650
  • Move the public part to the webserver
[root@snoopy /usr/local/openssl/misc/demoCA]#openssl x509 -in cacert.pem -out /usr/local/www/ssl/schmut.com-ca.crt

Certificate Creation

  • Create a certificate request
[root@snoopy /usr/local/openssl/misc]#openssl req -config ../openssl.cnf -new -keyout newkey.pem -out newreq.pem -days 365
  • Sign the cert
[root@snoopy /usr/local/openssl/misc]#openssl ca -config ../openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem
  • To revoke the cert
[root@snoopy /usr/local/openssl/misc]#openssl ca -revoke newcert.pem

Converting to PKCS12

  • PKCS12 is used by apps like Thunderbird
[root@snoopy /usr/local/openssl/misc]#openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out newpkcs12.p12 -name "My Certificate"

SSL with Apache

  • To place the cert in apache's cert directory
[root@snoopy /usr/local/openssl/misc]#openssl x509 -in newcert.pem -out /usr/local/etc/apache/ssl.crt/host.domain.com.crt
  • To place the key in apache's key directory
[root@snoopy /usr/local/openssl/misc]#openssl rsa -in newkey.pem -out /usr/local/etc/apache/ssl.key/host.domain.com.key
  • Be sure to lock it tight because it's no longer encrypted
[root@snoopy /usr/local/openssl/misc]#chmod 400 /usr/local/etc/apache/ssl.key/host.domain.com.key
[root@snoopy /usr/local/openssl/misc]#chown root:wheel /usr/local/etc/apache/ssl.key/host.domain.com.key

Viewing Certificates

  • The cert in text form. -noout supresses the output of the actual cert.
[root@snoopy /usr/local/openssl/misc]#openssl x509 -in newcert.pem -text -noout

Creating Certificate Requests

  • From an existing cert
[root@snoopy /usr/local/openssl/misc]#openssl x509 -x509toreq -in host.domain.com.crt -signkey host.domain.com.key
Document Actions

Copyright © 2007-2015 Mario Theodoridis. All rights reserved. Content licensed under AFL.   Impressum   Datenschutz
Content from the underlying Plone CMS is © 2000-2009 by the Plone Foundation