====== OpenSSL ======

**General Information**

Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats.

**Checklist**
  * Distro(s): Any

----

====== Certificate Encoding ======

  * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
<code bash>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Or
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</code>
  * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain)
  * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file.
  * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates.

----

====== Common Extensions ======
  * .crt - Used for certificates, commonly on *nix systems.
  * .cer - Used for certificates, commonly on Windows.
  * .key - Public/private pkcs keys, encoded as binary DER or ASCII PEM.

----

====== Generate Certificate Signing Requests ======

Generating certificate signing requests to send to a certificate authority.

\\
===== New Private Key and CSR =====
<code bash>
openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
</code>

\\
===== New CSR for an Existing Private Key =====
<code bash>
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
</code> 

\\
===== CSR Based On Existing Certificate =====
<code bash>
openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
</code>

----

====== Self-Signed Certificates ======

Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority.

\\
===== Generate Self-Signed =====

Generate a self-signed cert and private key from scratch
<code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code>

\\
===== Generate Self-Signed from Existing Private Key =====

Generate a self-signed cert from an existing private key
<code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code>

\\
===== Generate Self-Signed from Existing Private Key and CSR =====

Generate a self-signed cert from an existing private key and existing CSR
<code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code>

----

====== Certificate Conversions ======

Converting certificates from one type to another.

\\
===== Extract Cert, Key, CA from PFX =====
  * Extract Key<code bash>openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key</code>
  * Extract Certificate<code bash>openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt</code>
  * Extract Certificate Authority<code bash>openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt</code>

\\
===== Convert binary DER to PEM =====
<code bash>
openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
</code>

\\
===== Convert PEM to DER =====
<code bash>
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
</code>

\\
===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM =====
<code bash>
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
</code>

\\
===== Create crt/key from a PFX file =====
<code bash>
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
openssl rsa -in mysite.key.pem -out mysite.key
openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
</code>

\\
===== Create client crt and intermediate chain cert from .p7b(PKCS7) =====

Convert p7b to PEM combined, then convert to bundle of certs
<code bash>
openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem
openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle
</code>

View the "mysite.p7b.bundle" file:
  * The top BEGIN/END block is the client cert
    * Copy that single BEGIN/END into a new file for the client cert
  * The rest is the certificate chain
    * Copy all the rest into a new file for the intermediate chain cert

----

====== Cert+Key Matching ======

Openssl can be used to very that a certificate and key match.

\\
Compare to ensure they match
<code bash>
openssl x509 -noout -text -in mysite.crt
openssl rsa -noout -text -in mysite.key
</code>

\\
Similar method, but running output through md5 hash for a shorter comparison
<code bash>
openssl x509 -noout -text -in mysite.crt | openssl md5
openssl rsa -noout -text -in mysite.key | openssl md5
</code>

----

====== Displaying Certificate Contents ======

Display Certificate Contents
<code bash>
openssl x509 -in mysite.crt -text
</code>

\\
Display CSR Contents
<code bash>
openssl req -in mysite.csr -text
</code>

----

====== Verification ======

To verify that an intermediate cert and client certificate pass a chain of authority test:
<code bash>
openssl verify -CAfile mysites_intermediate.crt mysite.crt
</code>

\\
Remotely check a site's certificate and fingerprint it
<code bash>
openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint
</code>

----