Differences
This shows you the differences between two versions of the page.
linux_wiki:openssl [2015/04/06 16:56] billdozor |
linux_wiki:openssl [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== OpenSSL ====== | ||
- | **General Information** | ||
- | |||
- | Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats. | ||
- | |||
- | **Checklist** | ||
- | * Distros: All | ||
- | |||
- | ---- | ||
- | |||
- | ===== Certificate Encoding ===== | ||
- | |||
- | * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | ||
- | <code bash> | ||
- | -----BEGIN CERTIFICATE----- | ||
- | -----END CERTIFICATE----- | ||
- | Or | ||
- | -----BEGIN PRIVATE KEY----- | ||
- | -----END PRIVATE KEY----- | ||
- | </ | ||
- | * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain) | ||
- | * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file. | ||
- | * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Common Extensions ===== | ||
- | * .crt - Used for certificates, | ||
- | * .cer - Used for certificates, | ||
- | * .key - Public/ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Generate Certificate Signing Requests ===== | ||
- | |||
- | ====New Private Key and CSR==== | ||
- | <code bash> | ||
- | openssl req -out MYSITE.csr -new -newkey rsa:2048 -nodes -keyout MYSITE.key | ||
- | </ | ||
- | |||
- | ====New CSR for an Existing Private Key==== | ||
- | <code bash> | ||
- | openssl req -out MYSITE.csr -key MYSITE.key -new | ||
- | </ | ||
- | |||
- | ====CSR Based On Existing Certificate==== | ||
- | <code bash> | ||
- | openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey MYSITE.key | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Certificate Conversions ===== | ||
- | |||
- | ====Convert binary DER to PEM==== | ||
- | <code bash> | ||
- | openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | ||
- | </ | ||
- | |||
- | ====Convert PEM to DER==== | ||
- | <code bash> | ||
- | openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | ||
- | </ | ||
- | |||
- | ====Convert PKCS# | ||
- | <code bash> | ||
- | openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | ||
- | </ | ||
- | |||
- | ====Create crt/key from a PFX file==== | ||
- | <code bash> | ||
- | openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | ||
- | openssl rsa -in mysite.key.pem -out mysite.key | ||
- | openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | =====Cert+Key Matching===== | ||
- | |||
- | Openssl can be used to very that a certificate and key match. | ||
- | |||
- | Compare to ensure they match | ||
- | <code bash> | ||
- | openssl x509 -noout -text -in mysite.crt | ||
- | openssl rsa -noout -text -in mysite.key | ||
- | </ | ||
- | |||
- | Similar method, but running output through md5 hash for a shorter comparison | ||
- | <code bash> | ||
- | openssl x509 -noout -text -in mysite.crt | openssl md5 | ||
- | openssl rsa -noout -text -in mysite.key | openssl md5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | =====Displaying Certificate Contents===== | ||
- | |||
- | Display Certificate Contents | ||
- | <code bash> | ||
- | openssl x509 -in mysite.crt -text | ||
- | </ | ||
- | |||
- | Display CSR Contents | ||
- | <code bash> | ||
- | openssl req -in mysite.csr -text | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | =====Verification===== | ||
- | |||
- | To verify that an intermediate cert and client certificate pass a chain of authority test: | ||
- | <code bash> | ||
- | openssl verify -CAfile mysites_intermediate.crt mysite.crt | ||
- | </ |