openssl cert creation help

OpenSSl Certificate creation methods


# Separate Generation of the server key using passout. Also uses CSR to signkey and generate a CA
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm server.pass.key
openssl req -new -key server.key -out server.csr \
    -subj "/C=US/ST=Kansas/L=Marion/O=OrgName/OU=Accounting/CN=example.com"
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# using openssl req to automatic to generate a server.key and server.crt. No CSR or CA here
   openssl req -x509 -nodes \
    -days 365 \
    -subj "/C=US/ST=MD/O= Bingo Was His Name Oh/CN=example.com" \
    -newkey rsa:2048 -keyout server.key \
    -out server.crt


# Juniarto's guide on client certificate (for client verification)
#Create Client Certificate [AT CLIENT]

openssl genrsa -des3 -out user.key 4096       #User Key
openssl req -new -key user.key -out user.csr  #Cert. Signing Request

user.key is known as USER/CLIENT PRIVATE KEY. It stays in the client and should not be sent to the server.

user.csr is known as CERTIFICATE SIGNING REQUEST. Send user.csr to the server. Server will create user.crt using server’s ca.crt and ca.key.

d. Send user.csr to server, to be signed by CA [AT SERVER]. Produce user.crt

openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
You’ll typically want to increment the serial number with each signing. Once the certificate expires, a new CSR doesn’t need to be recreated; the same one can be signed, which will create a new certificate tied to that public key.

The signed certificate would be sent back to the user along with the CA cert (not private key!), for installation on their device.

e. But, usually you have to bundle ca.crt and user.crt before you send it to client.[AT CLIENT]

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt

Pass the user.pfx to the client to be installed in their browser.