linux_wiki:openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux_wiki:openssl [2015/04/28 19:39]
billdozor [Verification] 		linux_wiki:openssl [2018/02/22 22:56]
billdozor [Generate Self-Signed from Existing Private Key and CSR]
Line 6: Line 6:
  
 **Checklist** **Checklist**
-  * DistrosAll+  * Distro(s)Any
  
 ---- ----
  
-===== Certificate Encoding =====+====== Certificate Encoding ======
  
   * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.   * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
Line 26: Line 26:
 ---- ----
  
-===== Common Extensions =====+====== Common Extensions ======
   * .crt - Used for certificates, commonly on *nix systems.   * .crt - Used for certificates, commonly on *nix systems.
   * .cer - Used for certificates, commonly on Windows.   * .cer - Used for certificates, commonly on Windows.
Line 33: Line 33:
 ---- ----
  
-===== Generate Certificate Signing Requests =====+====== Generate Certificate Signing Requests ======
  
-====New Private Key and CSR====+Generating certificate signing requests to send to a certificate authority. 
 + 
 +\\ 
 +===== New Private Key and CSR =====
 <code bash> <code bash>
 openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
 </code> </code>
  
-====New CSR for an Existing Private Key====+\\ 
 +===== New CSR for an Existing Private Key =====
 <code bash> <code bash>
 openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
 </code>  </code> 
  
-====CSR Based On Existing Certificate====+\\ 
 +===== CSR Based On Existing Certificate =====
 <code bash> <code bash>
 openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
Line 52: Line 57:
 ---- ----
  
-===== Certificate Conversions =====+====== Self-Signed Certificates ======
  
-====Convert binary DER to PEM====+Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority. 
 + 
 +\\ 
 +===== Generate Self-Signed ===== 
 + 
 +Generate a self-signed cert and private key from scratch 
 +<code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code> 
 + 
 +\\ 
 +===== Generate Self-Signed from Existing Private Key ===== 
 + 
 +Generate a self-signed cert from an existing private key 
 +<code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code> 
 + 
 +\\ 
 +===== Generate Self-Signed from Existing Private Key and CSR ===== 
 + 
 +Generate a self-signed cert from an existing private key and existing CSR 
 +<code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code> 
 + 
 +---- 
 + 
 +====== Certificate Conversions ====== 
 + 
 +Converting certificates from one type to another. 
 + 
 +\\ 
 +===== Convert binary DER to PEM =====
 <code bash> <code bash>
 openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
 </code> </code>
  
-====Convert PEM to DER====+\\ 
 +===== Convert PEM to DER =====
 <code bash> <code bash>
 openssl x509 -outform der -in MYSITE.pem -out MYSITE.der openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
 </code> </code>
  
-====Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM====+\\ 
 +===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM =====
 <code bash> <code bash>
 openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
 </code> </code>
  
-====Create crt/key from a PFX file====+\\ 
 +===== Create crt/key from a PFX file =====
 <code bash> <code bash>
 openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
Line 76: Line 111:
 </code> </code>
  
-====Create client crt and intermediate chain cert from .p7b(PKCS7)====+\\ 
 +===== Create client crt and intermediate chain cert from .p7b(PKCS7) =====
  
 Convert p7b to PEM combined, then convert to bundle of certs Convert p7b to PEM combined, then convert to bundle of certs
Line 92: Line 128:
 ---- ----
  
-=====Cert+Key Matching=====+====== Cert+Key Matching ======
  
 Openssl can be used to very that a certificate and key match. Openssl can be used to very that a certificate and key match.
  
 +\\
 Compare to ensure they match Compare to ensure they match
 <code bash> <code bash>
Line 102: Line 139:
 </code> </code>
  
 +\\
 Similar method, but running output through md5 hash for a shorter comparison Similar method, but running output through md5 hash for a shorter comparison
 <code bash> <code bash>
Line 110: Line 148:
 ---- ----
  
-=====Displaying Certificate Contents=====+====== Displaying Certificate Contents ======
  
 Display Certificate Contents Display Certificate Contents
Line 117: Line 155:
 </code> </code>
  
 +\\
 Display CSR Contents Display CSR Contents
 <code bash> <code bash>
Line 124: Line 163:
 ---- ----
  
-=====Verification=====+====== Verification ======
  
 To verify that an intermediate cert and client certificate pass a chain of authority test: To verify that an intermediate cert and client certificate pass a chain of authority test:
Line 131: Line 170:
 </code> </code>
  
 +\\
 Remotely check a site's certificate and fingerprint it Remotely check a site's certificate and fingerprint it
 <code bash> <code bash>
 openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint
 </code> </code>
 +
 +----
 +
  • linux_wiki/openssl.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)