Gerando certificados A1 padrão ICP-Brasil no GNU Linux

Como todos devem saber o programa para trabalhar com certificados no Linux é o OpenSSL, então segue os exemplos abaixo:

###Gerando certificado auto assinado

1. openssl req -new -newkey rsa:2048 -sha256 -nodes > new.cert.req

   Country Name (2 letter code) [AU]: País com duas letras;
   State or Province Name (full name) [Some-State]: Estado por extenso
   Locality Name (eg, city) []:cidade
   Organization Name (eg, company) [Internet Widgits Pty Ltd]: Sempre ICP-Brasil
   Organizational Unit Name (eg, section) []:Nome da empresa ex:Corporação Incolume
   Common Name (e.g. server FQDN or YOUR name) []:FQDN ex:www.incolume.com.br
   Email Address []: email do administrador ex:postmaster@incolume.com.br

   Generating a 2048 bit RSA private key
   ..........................+++
   ..................................................+++
   writing new private key to 'privkey.pem'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:BR
   State or Province Name (full name) [Some-State]:Distrito Federal
   Locality Name (eg, city) []:BSB
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:ICP-Brasil
   Organizational Unit Name (eg, section) []:Corporação Incolume
   Common Name (e.g. server FQDN or YOUR name) []:www.incolume.com.br
   Email Address []:postmaster@incolume.com.br
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   

2. openssl rsa -in privkey.pem -out new.cert.key
3. openssl x509 -in new.cert.req -out new.cert.cer -req -signkey new.cert.key -days 365

Exemplo:

1. openssl req -newkey rsa:2048 -sha256 -nodes -keyout incolume`date +%s`.pem -out incolume`date +%s`.req -subj '/C=BR/ST=Distrito Federal/L=BSB/O=Non ICP-Brasil/OU=incolume.com.br/CN=email.incolume.com.br/emailAddress=postmaster@incolume.br'
2. openssl rsa -in incolume1429107131.pem -out incolume1429107131.key
3. openssl x509 -in incolume1429107131.req -out incolume1429107131.cer -req -signkey incolume1429107131.key -days 730

#Somente a chave e a requisição

#openssl req -newkey rsa:2048 -sha256 -nodes -keyout x.key -out x.req -subj '/C=BR/ST=Distrito Federal/L=BSB/O=ICP-Brasil/OU=incolume.com.br/CN=www.incolume.com.br/emailAddress=postmaster@incolume.com.br'

Ou

#openssl req -new -newkey rsa:2048 -sha256 -nodes -subj '/C=BR/ST=Distrito Federal/L=BSB/O=ICP-Brasil/OU=Incolume.com.br/CN=www.incolume.com.br/emailAddress=postmaster@incolume.com.br' -keyout www4-`date +%F`.key -out www4-`date +%F`.req

Ou

SITE=incolume #openssl req -new -newkey rsa:2048 -sha256 -nodes -subj "/C=BR/ST=Distrito Federal/L=BSB/O=ICP-Brasil/OU=Incolume/CN=*.${SITE}.com.br/emailAddress=postmaster@incolume.com.br" -keyout ${SITE}-`date +%F`.key -out ${SITE}-`date +%F`.req

Atualizações

• 2016/05/10