OpenSSL Notes
Contents
- 1 OpenSSL tasks
- 2 References
OpenSSL tasks
Creating a CSR and/or self-signed certificate
create private key and certificate signing request
mkdir /root/ssl cd /root/ssl
cp /etc/pki/tls/openssl.cnf /root/ssl/
export sans="[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com,DNS:www2.example.com\n" printf $sans >> /root/ssl/openssl.cnf
Create CSR with new key:
openssl req -new -sha256 -newkey rsa:4096 -reqexts SAN -config /root/ssl/openssl.cnf -subj '/C=US/ST=Michigan/L=Mason/O=Example Corp/OU=IT/CN=server.example.com/emailAddress=it@example.com' > csr.txt
Create a new CSR using an existing key:
openssl req -new -sha256 -key site.example.key -reqexts SAN -config /root/ssl/openssl.cnf -subj '/C=US/ST=Michigan/L=Mason/O=Example Corp/OU=IT/CN=server.example.com/emailAddress=it@example.com' > csr.txt
- Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out key.txt
- Step three (optional) - convert the CSR into a self-signed certificate:
openssl x509 -in ${cn}.csr -out ${cn}.crt -req -signkey ${cn}.key -days 365
This will produce a self-signed cert that can be used for any SSL service.
For example, the Apache-SSL directives are as follows:
SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key
Generate a password hash (md5)
echo "blah" | openssl passwd -1 -stdin
Verify a server certificate
You can test an SSL connection using the s_client option.
openssl s_client -connect <server>:<port>
For servers using TLS you can use the -starttls command.
openssl s_client -showcerts -starttls smtp -connect host.example.com:25 openssl s_client -showcerts -connect www.example.com:443 -tls1_2
Testing with a client cert:
openssl s_client -key <keyfile> -cert <cert> -CAfile <cafile> -connect <server>:8081
Extract cert used for a connection
openssl s_client -connect www.example.com:443 -tls1_2 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > www.example.com.crt
Check cert details
openssl x509 -in certificate.crt -text -noout
Verifying that a key and certificate match
To verify that a certificate and key file match you can compare certificate modulus on each cert to look for a match. The `modulus' and the `public exponent' portions of the key and the certificate must match. The following commands will produce an md5 sum which can be used to find the key that matches a cert or vice versa.
openssl x509 -noout -modulus -in server.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5
Converting SSL certs
Convert PFX to PEM:
openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem -nodes
Convert cert file to PFX:
#!/bin/bash [ -n "$1" -a "$2" ] || { echo "Usage: ./crt2pfx cert.crt .keyfile cert_name"; exit 0 ; } openssl x509 -in $1 -out input.der -outform DER; openssl x509 -in input.der -inform DER -out output.pem -outform PEM; openssl pkcs12 -export -in output.pem -inkey $2 -out $3.pfx -name "$3"; echo "cleaning up..."; sleep 1; echo "Removing input.der"; rm input.der; sleep 1; echo "Removing output.pem"; rm output.pem; sleep 1; exit 0;
List installed CA certs
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/cert.pem
If you're checking for a specific cert you can grep for the common name.
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/cert.pem | grep -E "Dart|DCIssuing"
Fix ASN errors
If you see errors similar to below you will need to convert the certificate file into the proper encoding.
Openssl Unable to Load Certificate Wrong Asn1 Encoding routines:ASN 1_CHECK_TLEN::tag:tasn_dec.c:1319 140735207381436:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 140735207381436:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_CINF 140735207381436:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509 140735207381436:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
While the certificate file visually appears to be in x.509 format, you will find it contains a far longer base64 string than x.509 certificates of the same bit length. The format in this case is p7b (PCKS #7). To convert the cert to x509 format run this command.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
References
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
http://www.madboa.com/geek/openssl/#cert-test
https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/