====== OpenSSL ======

===== Generate a Key =====
<code>
openssl genrsa -out cakey.pem 4096
</code>

===== Generate CA =====
<code>
openssl req -x509 -new -nodes -key cakey.pem -days 3650 -out cacert.pem
</code>

===== Generate Cert key =====
<code>
openssl genrsa -out key.pem 4096
</code>

===== Generate CSR =====
<code>
openssl req -new -key key.pem -out csr.pem -sha256
</code>

===== Gen DH =====
<code>
openssl dhparam -out dh.pem 2048
</code>

===== Self-signed =====
<code>
openssl x509 -req -in csr.pem -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -days 365
</code>

==== Convert to pfx format ====

<code>
openssl pkcs12 -export -out myserver.pfx -inkey myserver.key -in myserver.crt
</code>

===== Single Cert =====
<code>
openssl genrsa -out bluenet-ride.com.key 4096
openssl req -new -key registry.bluenet-ride.com.key -out registry.bluenet-ride.com.key.csr
openssl x509 -req -days 365 -in bluenet-ride.com.csr -signkey bluenet-ride.com.key -out bluenet-ride.com.crt
</code>

===== Convert to PKCS12 format =====
<code>
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
</code>

===== View cert =====
<code>
openssl s_client -showcerts -connect encrypted.google.com:443 < /dev/null 2> /dev/null | openssl x509 -noout -enddate
openssl x509 -noout -text -in cert.pem
openssl req -noout -text -in req.pem
</code>


===== Trust CA system-wide =====
<code>
trust anchor ca.crt
# trust anchor --remove ca.crt
</code>

**Ref:**

  * https://unix.stackexchange.com/questions/104623/how-to-get-servers-ssl-certificate-in-a-human-readable-form
  * https://bbs.archlinux.org/viewtopic.php?id=235724