OpenSSL certificate management¶

OpenSSL certificate management involves using the OpenSSL command-line toolkit to generate private keys, create Certificate Signing Requests (CSRs), manage self-signed certificates, and handle certificate formats for secure communication^[600-developer__tools__security__000-MOC-security.md].

As a robust, full-featured open-source toolkit, OpenSSL is the industry standard for implementing [[Secure Sockets Layer]] (SSL) and [[Transport Layer Security]] (TLS) protocols, ensuring encrypted data transmission between clients and servers^[600-developer__tools__security__000-MOC-security.md].

Common Key Formats¶

OpenSSL is frequently used to convert between different key and certificate formats to ensure compatibility across various systems (e.g., Apache, Nginx, IIS). Understanding the common extensions is essential for management^[600-developer__tools__security__000-MOC-security.md].

• .crt: Often used for certificates (may be PEM or DER encoded).
• .key: Typically denotes a private key (may be PEM or DER encoded).
• .csr: A Certificate Signing Request file.
• .p12 / .pfx**: Password-protected container formats that can hold both certificates and private keys (often used for import/export).

Common Operations¶

Generating Keys and CSRs¶

Before obtaining a signed certificate from a Certificate Authority (CA), you must generate a private key and a CSR.

• Generate a Private Key: Creates the cryptographic foundation.

  openssl genrsa -out private.key 2048
  

• Generate a CSR: Creates a request file to send to a CA.

  openssl req -new -key private.key -out request.csr
  

Self-Signed Certificates¶

For development or internal testing, a Self-Signed Certificate acts as both the issue and the signer, negating the need for an external CA.

• Generate a Self-Signed Certificate:

  openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -days 365
  

  (Note: This command often includes the -nodes flag if an unencrypted key is desired.)

Viewing Information¶

Verifying the contents of a file helps prevent configuration errors.

• View a CSR:

  openssl req -in request.csr -text -noout
  

• View a Certificate:

  openssl x509 -in certificate.crt -text -noout
  

Format Conversion¶

OpenSSL is critical for converting certificates between formats required by different servers^[600-developer__tools__security__000-MOC-security.md].

• PEM to DER:

  openssl x509 -in cert.pem -outform der -out cert.der
  

• DER to PEM:

  openssl x509 -in cert.der -inform der -out cert.pem
  

• PKCS#12 (.pfx) to PEM (extracts key and cert):

  openssl pkcs12 -in file.pfx -out file.pem -nodes
  

Related Concepts¶

• [[PKIX]]: The architecture governing the creation and management of certificates.
• [[TLS]]: The protocol that utilizes these certificates for secure transport.
• [[自建CA機構]]: Managing your own Certificate Authority for internal networks.

Sources¶

• 600-developer__tools__security__000-MOC-security.md