We’ve all been in that situation where certificates were needed, and one needs to peek into the openssl man page (or Google for examples) in order to remember how it’s done. To make our lives easier, here’s a cheat sheet:

(note): $1 is the name of the certificate you want to create/sign/revoke.


export GC_ROOT_STRUCT=”/opt/certif”
export OPENSSL_CONF=$GC_ROOT_STRUCT/openssl.conf”

Create self-signed CA

openssl req -new -x509 -extensions v3_ca -keyout $GC_ROOT_CA/private/cakey.pem -out $GC_ROOT_CA/cacert.pem -days 3650

Create certificate request

openssl req -new -nodes -out $GC_ROOT_CA/req/$1.req -keyout $GC_ROOT_CA/req/$1.key
Note: Remove the “-nodes” option if you wish to protect the private key with a password.

Sign certificate

openssl ca -out $GC_ROOT_CA/certs/$1.pem -infiles $GC_ROOT_CA/req/$1.req

Revoke certificate

openssl ca -revoke $GC_ROOT_CA/certs/$1.pem -crl_reason keyCompromise

Generate CRL

openssl ca -gencrl -out $GC_ROOT_CA/crl.pem

Inject CA and CRL into system (needed when issuing “openssl verify” commands)

ln -sf $GC_ROOT_CA/cacert.pem /etc/ssl/certs/$(openssl x509 -hash -noout -in $GC_ROOT_CA/cacert.pem).0
ln -sf $GC_ROOT_CA/crl.pem /etc/ssl/certs/$(openssl x509 -hash -noout -in $GC_ROOT_CA/crl.pem).r0

Verify certificate (against CA and CRL, depending on whether the .0 and .r0 symlinks were created)

openssl verify -purpose sslclient <pem_file>