Differences

This shows you the differences between two versions of the page.

--- linux_wiki:openssl [2015/04/28 18:45]
billdozor [CSR Based On Existing Certificate]
+++ linux_wiki:openssl [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== OpenSSL ======
-**General Information**
-Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats.
-**Checklist**
-  * Distros: All
-----
-===== Certificate Encoding =====
-  * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
-<code bash>
------BEGIN CERTIFICATE-----
------END CERTIFICATE-----
-Or
------BEGIN PRIVATE KEY-----
------END PRIVATE KEY-----
-</code>
-  * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain)
-  * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file.
-  * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates.
-----
-===== Common Extensions =====
-  * .crt - Used for certificates, commonly on *nix systems.
-  * .cer - Used for certificates, commonly on Windows.
-  * .key - Public/private pkcs keys, encoded as binary DER or ASCII PEM.
-----
-===== Generate Certificate Signing Requests =====
-====New Private Key and CSR====
-<code bash>
-openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
-</code>
-====New CSR for an Existing Private Key====
-<code bash>
-openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
-</code>
-====CSR Based On Existing Certificate====
-<code bash>
-openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
-</code>
-----
-===== Certificate Conversions =====
-====Convert binary DER to PEM====
-<code bash>
-openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
-</code>
-====Convert PEM to DER====
-<code bash>
-openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
-</code>
-====Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM====
-<code bash>
-openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
-</code>
-====Create crt/key from a PFX file====
-<code bash>
-openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
-openssl rsa -in mysite.key.pem -out mysite.key
-openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
-</code>
-====Create client crt and intermediate chain cert from .p7b(PKCS7)====
-Convert p7b to PEM combined, then convert to bundle of certs
-<code bash>
-openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem
-openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle
-</code>
-View the "mysite.p7b.bundle" file:
-  * The top BEGIN/END block is the client cert
-    * Copy that single BEGIN/END into a new file for the client cert
-  * The rest is the certificate chain
-    * Copy all the rest into a new file for the intermediate chain cert
-----
-=====Cert+Key Matching=====
-Openssl can be used to very that a certificate and key match.
-Compare to ensure they match
-<code bash>
-openssl x509 -noout -text -in mysite.crt
-openssl rsa -noout -text -in mysite.key
-</code>
-Similar method, but running output through md5 hash for a shorter comparison
-<code bash>
-openssl x509 -noout -text -in mysite.crt | openssl md5
-openssl rsa -noout -text -in mysite.key | openssl md5
-</code>
-----
-=====Displaying Certificate Contents=====
-Display Certificate Contents
-<code bash>
-openssl x509 -in mysite.crt -text
-</code>
-Display CSR Contents
-<code bash>
-openssl req -in mysite.csr -text
-</code>
-----
-=====Verification=====
-To verify that an intermediate cert and client certificate pass a chain of authority test:
-<code bash>
-openssl verify -CAfile mysites_intermediate.crt mysite.crt
-</code>