Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:openssl [2015/04/06 16:53] billdozor [Displaying Certificate Contents] |
linux_wiki:openssl [2018/08/09 13:33] billdozor |
||
---|---|---|---|
Line 6: | Line 6: | ||
**Checklist** | **Checklist** | ||
- | * Distros: All | + | * Distro(s): Any |
---- | ---- | ||
- | ===== Certificate Encoding ===== | + | ====== Certificate Encoding |
* Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | ||
Line 26: | Line 26: | ||
---- | ---- | ||
- | ===== Common Extensions ===== | + | ====== Common Extensions |
* .crt - Used for certificates, | * .crt - Used for certificates, | ||
* .cer - Used for certificates, | * .cer - Used for certificates, | ||
Line 33: | Line 33: | ||
---- | ---- | ||
- | ===== Generate Certificate Signing Requests ===== | + | ====== Generate Certificate Signing Requests |
- | ====New Private Key and CSR==== | + | Generating certificate signing requests to send to a certificate authority. |
+ | |||
+ | \\ | ||
+ | ===== New Private Key and CSR ===== | ||
<code bash> | <code bash> | ||
- | openssl req -out MYSITE.csr | + | openssl req -new -newkey rsa:2048 -nodes |
</ | </ | ||
- | ====New CSR for an Existing Private Key==== | + | \\ |
+ | ===== New CSR for an Existing Private Key ===== | ||
<code bash> | <code bash> | ||
- | openssl req -out MYSITE.csr | + | openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr |
</ | </ | ||
- | ====CSR Based On Existing Certificate==== | + | \\ |
+ | ===== CSR Based On Existing Certificate | ||
<code bash> | <code bash> | ||
- | openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey | + | openssl x509 -x509toreq -in MYSITE.crt -signkey |
</ | </ | ||
---- | ---- | ||
- | ===== Certificate Conversions | + | ====== Self-Signed Certificates ====== |
- | ====Convert binary DER to PEM==== | + | Self-signed certificates are for development/ |
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed ===== | ||
+ | |||
+ | Generate a self-signed cert and private key from scratch | ||
+ | <code bash> | ||
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed from Existing Private Key ===== | ||
+ | |||
+ | Generate a self-signed cert from an existing private key | ||
+ | <code bash> | ||
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed from Existing Private Key and CSR ===== | ||
+ | |||
+ | Generate a self-signed cert from an existing private key and existing CSR | ||
+ | <code bash> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Certificate Conversions ====== | ||
+ | |||
+ | Converting certificates from one type to another. | ||
+ | |||
+ | \\ | ||
+ | ===== Extract Cert, Key, CA from PFX ===== | ||
+ | * Extract Key<code bash> | ||
+ | * Extract Certificate< | ||
+ | * Extract Certificate Authority< | ||
+ | |||
+ | \\ | ||
+ | ===== Convert binary DER to PEM ===== | ||
<code bash> | <code bash> | ||
openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | ||
</ | </ | ||
- | ====Convert PEM to DER==== | + | \\ |
+ | ===== Convert PEM to DER ===== | ||
<code bash> | <code bash> | ||
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | ||
</ | </ | ||
- | ====Convert PKCS# | + | \\ |
+ | ===== Convert PKCS# | ||
<code bash> | <code bash> | ||
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | ||
</ | </ | ||
- | ====Create crt/key from a PFX file==== | + | \\ |
+ | ===== Create crt/key from a PFX file ===== | ||
<code bash> | <code bash> | ||
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | ||
Line 75: | Line 116: | ||
openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt | openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt | ||
</ | </ | ||
+ | |||
+ | \\ | ||
+ | ===== Create client crt and intermediate chain cert from .p7b(PKCS7) ===== | ||
+ | |||
+ | Convert p7b to PEM combined, then convert to bundle of certs | ||
+ | <code bash> | ||
+ | openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem | ||
+ | openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle | ||
+ | </ | ||
+ | |||
+ | View the " | ||
+ | * The top BEGIN/END block is the client cert | ||
+ | * Copy that single BEGIN/END into a new file for the client cert | ||
+ | * The rest is the certificate chain | ||
+ | * Copy all the rest into a new file for the intermediate chain cert | ||
---- | ---- | ||
- | =====Cert+Key Matching===== | + | ====== Cert+Key Matching |
Openssl can be used to very that a certificate and key match. | Openssl can be used to very that a certificate and key match. | ||
+ | \\ | ||
Compare to ensure they match | Compare to ensure they match | ||
<code bash> | <code bash> | ||
Line 88: | Line 145: | ||
</ | </ | ||
+ | \\ | ||
Similar method, but running output through md5 hash for a shorter comparison | Similar method, but running output through md5 hash for a shorter comparison | ||
<code bash> | <code bash> | ||
Line 96: | Line 154: | ||
---- | ---- | ||
- | =====Displaying Certificate Contents===== | + | ====== Displaying Certificate Contents |
Display Certificate Contents | Display Certificate Contents | ||
Line 103: | Line 161: | ||
</ | </ | ||
+ | \\ | ||
Display CSR Contents | Display CSR Contents | ||
<code bash> | <code bash> | ||
openssl req -in mysite.csr -text | openssl req -in mysite.csr -text | ||
</ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Verification ====== | ||
+ | |||
+ | To verify that an intermediate cert and client certificate pass a chain of authority test: | ||
+ | <code bash> | ||
+ | openssl verify -CAfile mysites_intermediate.crt mysite.crt | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | Remotely check a site's certificate and fingerprint it | ||
+ | <code bash> | ||
+ | openssl s_client -connect < | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ |