SSL certificate utility tasks
Create a custom CA certificate and a self-signed certificate
-
Create a CSR and save it in a local file called
csr.pem: -
Create a CA certificate and private key:
-
Save the following OpenSSL configuration in a local file called
openssl-req-ca.conf:[ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign1 Configures the openssl reqcommand.2 Configures the openssl reqcommand when using thex509flag to create a CA certificate. -
Generate a CA certificate and private key:
$ openssl req \ -x509 -nodes -newkey rsa:2048 -sha256 -days 30 \ -out ca.cert.pem -keyout ca.key.pem \ -subj "/CN=Self-signing CA" \ -config openssl-req-ca.conf -
Review the CA certificate and private key, which are respectively in the local files
ca.cert.pemandca.key.pem:-
For examples of a certificate and private key, learn more in PEM-formatted certificate examples.
-
To check the information in the certificate, learn more in Check a certificate.
-
-
-
Create a signed certificate:
-
Save the following OpenSSL configuration in a local file called
openssl-req-sign.conf:[ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth1 Configures the openssl reqcommand.2 Configures the openssl reqcommand when using thex509flag to sign a CSR. -
Generate a signed certificate using the CSR, the CA certificate and private key, and the configuration in
openssl-req-sign.conf:$ openssl req \ -x509 -nodes -sha256 -days 30 -copy_extensions copy \ -in csr.pem -out cert.pem -CA ca.cert.pem -CAkey ca.key.pem \ -config openssl-req-sign.conf -
Review the certificate, which is in the local file
cert.pem:-
For an example of a certificate, learn more in PEM-formatted certificate examples.
-
To check the information in the certificate, learn more in Check a certificate.
-
-
Check a CSR
To check the information in a CSR, run this command:
$ openssl req -in <csr-filename> -noout -text (1)| 1 | Replace <csr-filename> with the name of the local file containing your CSR; for example, csr.pem. |
Show response
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = www.pingidentity.com, O = Ping Identity Corporation, OU = IT, C = US, street = 1001 17th Street, L = Denver, ST = Colorado, postalCode = 80202, emailAddress = example.user@pingidentity.com, businessCategory = Private Organization, serialNumber = 3463471, jurisdictionC = US, jurisdictionL = Wilmington, jurisdictionST = Delaware (1)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:df:cf:53:47:8b:6a:51:23:0c:b9:8d:65:31:13:
26:6b:65:05:46:50:64:2c:97:4b:21:ac:72:99:54:
0c:d9:44:f1:74:c8:cd:55:09:67:7f:a2:f9:47:e5:
d4:fb:ec:fd:e9:c5:fd:77:30:30:79:f4:86:a3:c1:
72:2e:92:ca:74:93:44:65:4d:6f:b1:09:36:8d:b2:
c5:97:16:5e:d2:0d:49:42:91:93:da:01:02:9d:cf:
c4:af:99:1e:1f:80:f9:61:ab:60:14:25:d5:91:a9:
8f:f3:86:01:a1:33:95:10:6c:2a:60:19:6c:49:87:
4c:6f:f5:16:b0:54:2a:95:e1:32:c2:bd:3b:92:06:
3a:07:61:fa:01:72:3e:ca:02:e6:db:73:6a:4a:e7:
7a:ea:24:a7:75:a6:3c:ab:16:e2:c2:52:db:61:2f:
df:22:5d:b7:8b:67:31:4a:44:12:7e:94:af:b5:78:
31:97:09:68:da:07:28:71:61:a4:8b:6f:ce:27:70:
07:d5:12:58:cf:d1:4b:a9:a3:25:c9:a2:3d:08:5e:
1c:b3:b3:54:eb:93:90:55:65:01:0f:13:24:da:b3:
32:50:bf:d4:c3:71:8f:3b:82:25:11:e7:67:44:dd:
69:71:13:b3:6a:86:d2:a4:7f:25:01:c0:8f:71:96:
16:75
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name: (2)
DNS:support.pingidentity.com, DNS:labs.pingidentity.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
ab:6d:a7:14:8a:07:6b:69:c8:f7:e9:1f:ca:d3:d4:6d:53:ad:
4e:f7:91:aa:ec:1a:50:a3:08:0d:05:41:eb:17:ab:c0:30:d6:
53:2c:24:2f:d3:20:e8:7a:ae:d6:f9:81:a0:d2:a5:ad:44:24:
35:51:c1:d8:2c:f6:32:d5:9b:35:64:4a:d0:76:47:8f:1e:7e:
7d:fe:67:66:fd:a9:f0:c4:d4:18:37:a5:7b:50:af:25:34:76:
14:ac:ba:e7:5a:40:eb:ba:cd:16:09:59:71:e4:88:ab:43:fb:
ff:a1:8d:ae:5f:cc:62:1d:46:19:28:0a:74:fe:e3:59:e9:63:
42:65:db:ef:14:29:53:03:53:8d:17:5f:b2:dd:b9:9d:27:fe:
11:ec:44:07:ef:27:6c:8a:18:63:6c:7c:a4:f4:bb:2e:ee:d5:
ae:4a:79:80:e0:24:6b:db:01:c1:03:6f:c8:6b:8b:c9:72:46:
51:3b:a9:00:7a:c6:fc:28:60:8b:13:88:4c:1d:21:f2:19:de:
c0:a2:99:78:40:74:af:4f:c2:62:3b:6e:d0:9a:12:b1:7a:54:
2c:42:38:d8:f4:27:be:6e:0e:7f:40:ee:54:81:e2:63:da:95:
84:33:a5:48:61:dd:88:10:41:cc:d8:62:e9:3a:61:85:7d:06:
55:04:19:ff| 1 | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. |
| 2 | If you entered SANs for the CSR, check the SAN extension is present. |
Check a certificate
To check the information in a certificate, run this command:
$ openssl x509 -in <certificate-filename> -text -noout (1)| 1 | Replace <certificate-filename> with the name of the local file containing your certificate; for example, cert.pem. |
Show response
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Self-signing CA
Validity
Not Before: May 2 12:07:51 2024 GMT
Not After : Jun 1 12:07:51 2024 GMT (1)
Subject: CN = www.pingidentity.com, C = US, ST = Colorado, L = Denver, O = Ping Identity Corporation, OU = IT (2)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:52:11:d0:47:34:32:26:85:ae:c8:db:e1:59:
9c:88:07:e2:e1:08:65:6c:91:97:e4:e6:33:bb:4c:
24:ef:bd:c1:98:e7:c4:6b:6e:40:30:d5:ca:b8:f6:
d4:23:ae:4f:2a:e2:93:a3:dc:1b:76:dc:9f:ff:ad:
22:23:49:26:18:9e:90:f7:41:7c:7d:89:79:0b:ce:
b3:f6:e2:ce:e0:81:a6:d8:7a:e0:1a:5a:dd:7c:85:
ff:e8:5b:bc:e5:2a:0a:23:0e:69:cf:2b:fd:cf:7a:
d2:d8:5d:fa:61:7f:d5:ef:a0:9c:8a:6d:4c:74:6e:
98:36:38:3e:04:8e:f5:82:32:8c:5d:a8:f4:02:f3:
ad:54:f0:d9:11:8f:88:7f:0b:64:87:97:61:61:d9:
10:7f:54:53:49:e2:fd:90:e3:67:a2:b8:56:b4:7f:
4c:bc:d9:9c:33:96:8d:9a:c3:7c:85:58:47:02:38:
05:80:a6:e3:95:7c:4c:51:46:9f:d6:81:7e:56:12:
cf:35:be:01:57:15:65:f0:d4:9f:61:1f:ba:93:a5:
79:84:de:7a:ba:23:04:fa:9a:f4:99:16:60:0c:ef:
80:99:3c:fd:5d:af:09:8c:6e:02:2d:a8:02:01:bd:
b8:90:00:12:f8:c4:4c:a2:9c:71:e9:22:c4:89:19:
35:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:1D:14:C9:3C:4A:67:37:A2:E5:BE:B5:30:19:BE:EF:E6:08:B3:D6
X509v3 Authority Key Identifier:
6E:41:13:8E:26:E4:B0:7E:63:ED:07:0C:4E:2D:CD:FA:66:28:20:21
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name: (3)
DNS:support.pingidentity.com, DNS:labs.pingidentity.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
22:60:ab:f8:13:cd:af:36:62:06:c5:fe:d4:eb:4f:7e:17:d1:
c9:c9:82:56:97:8e:d5:f1:55:33:64:d2:4f:7f:ab:75:e0:28:
61:35:56:59:ed:7a:a5:a6:6c:94:e7:3c:e1:c5:9c:1c:9e:43:
24:cd:49:f5:b9:d5:0e:81:2b:c5:03:1f:30:36:a3:97:cf:b4:
f4:a1:55:d0:5d:d8:47:de:cf:f2:df:b9:6c:ff:a1:37:f2:61:
98:5f:a6:d1:d9:2c:c2:f3:50:71:51:6b:95:ec:d1:be:b3:f1:
9a:04:29:ad:62:f4:f5:e5:a7:7b:89:d5:a7:4c:4a:e5:88:eb:
d5:d9:3a:5f:9c:97:01:79:00:dc:76:05:e4:f6:3a:74:61:aa:
27:53:60:25:73:39:fd:0c:9b:bf:8e:61:32:59:f8:f3:d7:92:
e4:e8:ba:b3:63:8b:59:b0:e2:16:06:3a:43:0b:ec:00:f8:ad:
4d:fb:81:50:83:f1:87:f0:2d:91:09:43:3a:03:a2:13:00:db:
0c:3e:9d:e5:53:9d:ac:ad:87:de:1a:25:5e:2e:c0:7c:17:fe:
21:61:94:01:d3:3b:96:e7:83:0b:a9:d1:c8:0d:fa:03:93:0a:
67:c5:8d:dd:ad:68:c6:7a:1d:5c:a5:df:cd:0b:d9:de:83:0f:
20:42:83:61| 1 | Check the expiry date. |
| 2 | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. |
| 3 | If you entered SANs for the CSR, check the SAN extension is present. |