Some OpenSSL and SSL certificate basics
I'm writing this down for the traditional reason, that being to try to fix it in my mind for the next time I have to deal with all of this stuff (which will probably be in about a year):
- a SSL key is basically a blob of data. It has no interesting attributes
associated with it, and it is thus reusable if you want to. There are
probably OpenSSL commands to dump key information, but I haven't looked.
SSL keys are generated with
openssl genrsa. It asks for no information.
(I would not reuse the same SSL key on different servers, but if you would otherwise give a website a ten year self-signed certificate, well, you might as well reuse the same key for it for ten years.)
- a CSR has a Distinguished Name (aka Subject, aka DN), with all of the
details of what it is for; however, it does not have any dates.
If you're keeping the same key from year to year, you can also
keep the CSR and just resubmit it again every year to get a new
(Locally we have tended to discard the CSR once the certificate has been issued, and to generate new keys when we get new certificates.)
CSRs are generated with
openssl req, which asks about all of the fields for the DN and can be fed standard input. If you are mass-generating CSRs for some reason, note that the tempting
-batchoption is basically useless. Rather than silently reading the CSR parameters from stdin, it reads them only from the OpenSSL configuration file.
If you are going to be generating more than a few CSRs, I would write a script to do it; among other things, it makes sure that you're consistent in your Distinguished Names (which should normally vary only in the hostname). Plus, it makes the whole process a lot less annoying.
CSRs can be examined with:
openssl req -text -noout -in WHAT.csr
I recommend doing this after using any automated script for the first time, just in case of accidents (like, say, using
-batchwithout really understanding what it does).
- a SSL certificate is the only thing with expiry dates (which are
added by the CA), as well as the CA signature. SSL certificates
can be examined with:
openssl x509 -text -noout -in WHAT.crt
The CA that signed a certificate can be determined with:
openssl x509 -noout -issuer -issuer_hash -in WHAT.crt
Determining the CA certificate expiry times must be done by getting a copy of the CA root certificate and examining it. If you have a website that's using a certificate from this CA, the easiest way to do this is to go to that website, pull up the security information, view the certificate, and then look at all of the certificates involved in the details view.