[CentOS] OT: What are the 2 openssl commands I need to use?

Tue Dec 29 18:37:18 UTC 2009
R P Herrold <herrold at centos.org>

On Tue, 29 Dec 2009, Dan Carl wrote:

> On 12/29/2009 11:36 AM, Lanny Marcus wrote:
>> I looked on the openssl man page but am too dense with commands to
>> understand what I need to do
   ... snip
>> openssl commands I need to use, after I ssh into the web site, to
>> generate a 2048 bit key and csr.  TIA and Happy New Year!

> This will create one with a passphrase
>
> openssl genrsa -des3 -out mydomain.key 2048
> openssl req -new -key mydomain.key -out mydomain.csr

> Same put without a passpharse
>
> openssl genrsa -out mydomain.key 2048
> openssl req -new -key mydomain.key -out mydomain.csr

My notes indicate that another certificate authority 
[startssl] also requires a stronger (sha1) signing algorithm 
on CSR's  -- ymmv

This is from a personal cheatsheet I wrote:

1.      key withOUT a pass phrase

         openssl genrsa -out trap.pmman.com-09.key 2048

1a.    key WITH a pass phrase

         openssl genrsa -des3 -out trap.pmman.com-09.key 2048

2.      generate a signing request

   openssl req -new -sha1 -key trap.pmman.com-09.key -out \
 	trap.pmman.com.csr

3.      view the signing request

         openssl req -noout -text -in trap.pmman.com.csr

4.      view the private key

         openssl rsa -noout -text -in  trap.pmman.com-09.key

(one has to provide the passphrase if so protected)

We add a key year suffix ('-09') on the key to avoid 
accidentially overwriting one, but not the CSR, because CSRs 
may be safely recreated anytime

Our (prior) convention is to name the CA signed file with a 
.pem suffix, but not a year modifier -- as I think about it though, 
doing so is harmless, and would avoid an accidential 
overwrite here as well.

5.	view the CA counter-signed key file contents

 	 openssl x509 -inform PEM -noout -text -ocspid \
 		-in trap.pmman.com.pem

-- Russ herrold