Difference between revisions of "OpenSSL Notes"

From Wiki
Jump to: navigation, search
Line 85: Line 85:

Revision as of 17:08, 23 November 2015

OpenSSL tasks

Remove pass phrase from a key:

openssl rsa -in key.txt -out new.key

Generate a password hash (md5):

echo "blah" | openssl passwd -1 -stdin

Verify a server certificate

You can test an SSL connection using the s_client option.

openssl s_client -connect <server>:<port>

For servers using TLS you can use the -starttls command.

openssl s_client -showcerts -starttls smtp -connect host.example.com:25
openssl s_client -showcerts -connect  www.example.com:443 -tls1_2

Extract cert used for a connection

openssl s_client -connect www.example.com:443 -tls1_2 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > www.example.com.crt

Check cert details

openssl x509 -in certificate.crt -text -noout

Verifying that a key and certificate match

To verify that a certificate and key file match you can compare certificate modulus on each cert to look for a match. The `modulus' and the `public exponent' portions of the key and the certificate must match. The following commands will produce an md5 sum which can be used to find the key that matches a cert or vice versa.

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

Creating a self-signed certificate

create the private key and certificate signing request

 openssl req -newkey rsa:4096 > new.cert.csr
  • Step two - remove the passphrase from the key (optional):
 openssl rsa -in privkey.pem -out new.cert.key
  • Step three (optional) - convert the CSR into a self-signed certificate:
  openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365

This will produce a self-signed cert that can be used for any SSL service.

For example, the Apache-SSL directives are as follows:

 SSLCertificateFile /path/to/certs/new.cert.cert
 SSLCertificateKeyFile /path/to/certs/new.cert.key

Converting SSL certs

Convert PFX to PEM:

openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem -nodes

Convert cert file to PFX:

[ -n "$1" -a "$2" ]  || { echo "Usage: ./crt2pfx cert.crt .keyfile cert_name"; exit 0 ; }

openssl x509 -in $1 -out input.der -outform DER;

openssl x509 -in input.der -inform DER -out output.pem -outform PEM;

openssl pkcs12 -export -in output.pem -inkey $2 -out $3.pfx -name "$3";

echo "cleaning up...";
sleep 1;

echo "Removing input.der";
rm input.der;
sleep 1;

echo "Removing output.pem";
rm output.pem;
sleep 1;

exit 0;