This document lists some sample commands that are useful when dealing with certificates via OpenSSL. The OpenSSL.exe command performs all of the necessary certificate operations. It leverages the information in a config file for doing so. We have a config file named TurgiCA.cnf in the apps directory with the appropriate settings for Turgi. ___________________________________________________________________________________ ################### Creating a self-signed certificate ############################ In order to establish a new Root Certificate Authority, you need to create a self-signed certificate. This can be done with the following command: openssl req -new -x509 -keyout TurgiCA\private\CAKey.pem -out TurgiCA\private\CACert.pem -config TurgiCA.cnf -days 3652 ___________________________________________________________________________________ ############### Obtaining a text version of the certificate ####################### The resulting certificate is encoded. To create a text version of the certificate, use the following command: openssl x509 -text -in TurgiCA\private\CACert.pem ___________________________________________________________________________________ ################ Creating a request for a new certificate ######################### Once the root certificate is created, you can sign request for additional certificates. To create a certificate request, use the command openssl req -new -keyout TurgiCA\newcerts\newkey.pem -out TurgiCA\newcerts\newreq.pem -days 3652 -config TurgiCA.cnf ___________________________________________________________________________________ ############# Signing the request with the CA's certificate ####################### The request then needs to be signed, using the private key of the CA which was created when we generated the self-signed certificate. The following command will sign the certificate request that was previously created. openssl ca -policy policy_anything -out TurgiCA\newcerts\newcert.pem -config TurgiCA.cnf -infiles TurgiCA\newcerts\newreq.pem