Tag Archives: openSSL

Generating a PKCS12 file with openSSL

  1. Generate the CSR
    1. openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  2. Sign the CSR with your Certificate Authority
    1. Send the CSR (or text from the CSA) to VeriSign, GoDaddy, Digicert, internal CA, etc.
  3. Download the CRT
    1. Grab a copy of the signed certificate from your CA and place both the signed certificate and the CA chain certificate inside the same folder as your csr
  4. Create the PKCS#12 file (.pfx .p12)
    1. openssl pkcs12 -export -out nameofpkcsfilewearegoingtogenerate.pfx -inkey yourdomain.key -in publiccertfromCA.crt -certfile CAcertificatechain.crt
    2. Enter in a password that will be used to protect your PKCS file's private key

That's all that's to it!

Note: If you have multiple certificate authorities, you will have to create a certificate chain.  Use the following command for Step 4:

openssl.exe pkcs12 -export -in publiccertfromCA.crt -inkey yourdomain.key -name “MyCertYouCanChangeThisToWhateverItsAnAliasFriendlyName” -chain -CAfile certs.pem -passout pass:testpassword -out nameofpkcsfilewearegoingtogenerate.pfx

The certs.pem file will contain a list of your certificate authorities, starting from your intermediate authorities to the root authorities.

—–BEGIN CERTIFICATE—–
INTERMEDIATECERTIFICATEBASE64STUFFHERE.crt
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
ROOTCERTIFICATEBASE64STUFFHERE.crt
—–END CERTIFICATE—–

Generating a SSL Cert with Apache & openSSL

Registering a SSL cert is always kind of a mystery for me. You always have to use a crazy long command line command and the wizard always asks funky questions. Hopefully this tutorial will help clarify the process.

First run the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

And what the command does is it is generating a 256bit SSL certificate. RSA:1024 would generate a 128bit certificate. When the process has finished, you will have yourdomain.key and yourdomain.csr. yourdomain.key should NOT be distributed. This is your key to decrypt your traffic. The CSR should be presented to your CA (certificate authority).

As far as the generation process goes, you will be presented with a few questions:
Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered. This would be US for the United States.
State or Province: Name of the state or province where your organization is located. Write out the name in full.
City or Locality: Name of the city where your organization is registered/located. Write out the name in full.
Organization Unit: This may be left blank. However, if you are a company, you may want to put your company nickname here. I.e. Vooba instead of Vooba LLC
Organization: Vooba LLC
Passphrase: Depending on your registrar, you can/can't use this. If you can't use it, I recommend finding a different company. Use a strong password here.
Common Name: The fully-qualified domain name (FQDN), or URL, you want to secure. If you are not using a wild-card domain (*.yourdomain.com), use www.yourdomain.com. This will allow www.yourdomain.com and yourdomain.com to be secured. If you only secure yourdomain.com, www.yourdomain.com will be invalid.

Hope this helps and clarifies the process!