====== Create new key and csr for ssl-cert ======

<code>
openssl genrsa -des3 -out server17.key 2048
openssl req -new -key server17.key -out server17.csr
</code>
OR all in one command
<code>openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr</code>

and maybe also a self signed certificate:
<code>openssl x509 -req -days 365 -in server17.csr -signkey server17.key -out server17.crt</code>

get key uncrypted:
<code>openssl rsa -in server17.key -out postfix.key.unencrypted</code>
===== Use a config-File =====
server.cnf
<code>
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_keyfile = server.key
prompt = no
encrypt_key = no
default_bits = 4096
default_md = sha512

[req_distinguished_name]
# two character country code
C = XX
# State or Province Name
ST = Middelearth
# Locality Name (eg, city)
L = Gondor
# Organization Name (eg, company)
O = Fellowship of the ring
# Organizational Unit Name (eg, section) 
OU = Hobbits
# Common Name (eg, your name or your server's hostname) 
CN = alias1.example.com

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = server1.example.com
DNS.2 = alias1.example.com
IP = 10.20.30.40
</code>
After editing the file you can generate your CSR
<code># openssl req -new -config server.cnf -out server.csr</code>

=== Get things out of a pfx file ===
== Certificate ==
 <code># openssl pkcs12 -in /path/to/wildcard.pfx -out /path/to/certstore/mydomain.cer -nokeys -clcerts </code>
== key ==

 <code># openssl pkcs12 -in /path/to/wildcard.pfx -out /path/to/keystore/mydomain.key -nocerts -nodes </code>
== CA-Cert ==
 <code># openssl pkcs12 -in /path/to/wildcard.pfx -out /path/to/certstore/ca.cer -nodes -nokeys -cacerts </code>

=== Get things in a pfx file ===
<code>
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
</code>
{{tag>[Good2Know HowTo SSL TLS]}}