#Lab: SSL/TLS Certificate Management

1mkdir -p ~/certs && cd ~/certs
2
3# Generate private key and certificate
4openssl req -x509 -nodes -days 365 \
5  -newkey rsa:2048 \
6  -keyout server.key \
7  -out server.crt \
8  -subj "/C=US/ST=California/L=SF/O=MyCompany/CN=localhost"
9
10# Verify certificate
11openssl x509 -in server.crt -text -noout

1cat << 'EOF' > san.cnf
2[req]
3default_bits = 2048
4distinguished_name = req_distinguished_name
5x509_extensions = v3_ca
6
7[req_distinguished_name]
8CN = myapp.local
9
10[v3_ca]
11subjectAltName = @alt_names
12basicConstraints = CA:FALSE
13
14[alt_names]
15DNS.1 = myapp.local
16DNS.2 = localhost
17IP.1 = 127.0.0.1
18EOF
19
20openssl req -x509 -nodes -days 365 \
21  -newkey rsa:2048 \
22  -keyout server-san.key \
23  -out server-san.crt \
24  -config san.cnf \
25  -subj "/CN=myapp.local"
26
27# Verify SAN
28openssl x509 -in server-san.crt -text -noout | grep -A 3 "Alternative"

1# Generate private key
2openssl genrsa -out production.key 2048
3
4# Create CSR
5openssl req -new \
6  -key production.key \
7  -out production.csr \
8  -subj "/C=US/ST=CA/L=SF/O=Company/CN=www.example.com"
9
10# Verify CSR
11openssl req -in production.csr -text -noout

1# Download and view certificate
2echo | openssl s_client -servername google.com \
3  -connect google.com:443 2>/dev/null | \
4  openssl x509 -noout -subject -dates
5
6# Check expiration
7openssl s_client -connect github.com:443 < /dev/null 2>/dev/null | \
8  openssl x509 -noout -enddate

1# PEM to DER
2openssl x509 -in server.crt -outform DER -out server.der
3
4# PEM to PFX
5openssl pkcs12 -export \
6  -out server.pfx \
7  -inkey server.key \
8  -in server.crt \
9  -password pass:mypassword
10
11# PFX to PEM
12openssl pkcs12 -in server.pfx -out combined.pem -nodes -password pass:mypassword

rm -rf ~/certs