Difference between revisions of "OpenSSL Notes"

From Wiki
Jump to: navigation, search
(create the private key and certificate signing request =)
(OpenSSL tasks)
Line 11: Line 11:
 
Verify a server certificate:
 
Verify a server certificate:
  
  openssl s_client -connect <server>:<port>
+
  openssl s_client -showcerts -connect <server>:<port>
  
See http://www.madboa.com/geek/openssl/#cert-test for more info.
+
For servers using TLS you can use the -starttls command.
 +
 
 +
openssl s_client -showcerts -starttls smtp -connect host.example.com:25
 +
 
 +
See the following Uhttp://www.madboa.com/geek/openssl/#cert-test for more info.
  
 
Check certificate info.  This will show you the cert details such as the common name, expiration date, etc.
 
Check certificate info.  This will show you the cert details such as the common name, expiration date, etc.

Revision as of 16:46, 23 November 2015

OpenSSL tasks

Remove pass phrase from a key:

openssl rsa -in key.txt -out new.key

Generate a password hash (md5):

echo "blah" | openssl passwd -1 -stdin

Verify a server certificate:

openssl s_client -showcerts -connect <server>:<port>

For servers using TLS you can use the -starttls command.

openssl s_client -showcerts -starttls smtp -connect host.example.com:25

See the following Uhttp://www.madboa.com/geek/openssl/#cert-test for more info.

Check certificate info. This will show you the cert details such as the common name, expiration date, etc.

openssl x509 -in certificate.crt -text -noout

Verifiying an SSL cert

Verifying that a key and certificate match

To verify that a certificate and key file match you can compare certificate modulus on each cert to look for a match. The `modulus' and the `public exponent' portions of the key and the certificate must match. The following commands will produce an md5 sum which can be used to find the key that matches a cert or vice versa.

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

Creating a self-signed certificate

create the private key and certificate signing request

 openssl req -newkey rsa:4096 > new.cert.csr
  • Step two - remove the passphrase from the key (optional):
 openssl rsa -in privkey.pem -out new.cert.key
  • Step three (optional) - convert the CSR into a self-signed certificate:
  openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365

This will produce a self-signed cert that can be used for any SSL service.

For example, the Apache-SSL directives are as follows:

 SSLCertificateFile /path/to/certs/new.cert.cert
 SSLCertificateKeyFile /path/to/certs/new.cert.key

Converting SSL certs

Convert PFX to PEM:

openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem -nodes

Convert cert file to PFX:

#!/bin/bash
[ -n "$1" -a "$2" ]  || { echo "Usage: ./crt2pfx cert.crt .keyfile cert_name"; exit 0 ; }

openssl x509 -in $1 -out input.der -outform DER;

openssl x509 -in input.der -inform DER -out output.pem -outform PEM;

openssl pkcs12 -export -in output.pem -inkey $2 -out $3.pfx -name "$3";

echo "cleaning up...";
sleep 1;

echo "Removing input.der";
rm input.der;
sleep 1;

echo "Removing output.pem";
rm output.pem;
sleep 1;

exit 0;