Simple certificate management with OpenSSL

2014-05-20

First create an empty dir for your new certificate:

1
2
3
4
5
# temporary export domain name
$ domain=mydomain.com
$ cd
$ mkdir $domain
$ cd $domain

Generate the private key and a certificate sign request:

1
2
$ openssl genrsa -out $domain.key 2048
$ openssl req -new -key $domain.key -out $domain.csr -sha256

Now pass the csr to for example StartSSL and save the certificate to $domain.crt. Create a file ca.crt containing all CA certificates concatenated. Bundle the key, the certificate and any needed (intermediate) CA certificates into a PKCS12 file:

1
$ openssl pkcs12 -export -in $domain.crt -inkey $domain.key -certfile ca.pem -name "$domain" -out $domain.p12

Now the $domain.p12 file contains all you need.

To change or remove the passphrase later on, you can do:

1
2
3
$ openssl pkcs12 -in $domain.p12 -nodes -out temp.pem
$ openssl pkcs12 -export -in temp.pem -out $domain-2.p12
$ rm temp.pem

To split the PKCS#12 container into its parts again just execute

1
2
$ openssl pkcs12 -in $domain.p12 -nodes -nokeys > $domain.crt
$ openssl pkcs12 -in $domain.p12 -nodes -nocerts > $domain.key

and then extract the single parts from the output file.

Script for StartSSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/bash

domain=$1
mkdir $domain
cd $domain

echo "Download intermediate certificate..."
wget --quiet http://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

echo "Create private key..."
openssl genrsa -out $domain.key 2048

echo "Create certificate sign request..."
openssl req -new -key $domain.key -out $domain.csr -sha256

echo "Create certificate..."
echo "* Visit http://www.startssl.com/"
echo "* Pass $domain.csr"
echo "* Save the certificate at $domain.crt"
echo "* Press any key when done"

echo "Create PKCS#12 container..."
openssl pkcs12 -export -in $domain.crt -inkey $domain.key -certfile sub.class1.server.sha2.ca.pem -name "$domain" -out $domain.p12

Comments: