Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:openssl [2015/04/28 19:39] billdozor [Verification] |
linux_wiki:openssl [2018/08/09 13:33] billdozor |
||
---|---|---|---|
Line 6: | Line 6: | ||
**Checklist** | **Checklist** | ||
- | * Distros: All | + | * Distro(s): Any |
---- | ---- | ||
- | ===== Certificate Encoding ===== | + | ====== Certificate Encoding |
* Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | ||
Line 26: | Line 26: | ||
---- | ---- | ||
- | ===== Common Extensions ===== | + | ====== Common Extensions |
* .crt - Used for certificates, | * .crt - Used for certificates, | ||
* .cer - Used for certificates, | * .cer - Used for certificates, | ||
Line 33: | Line 33: | ||
---- | ---- | ||
- | ===== Generate Certificate Signing Requests ===== | + | ====== Generate Certificate Signing Requests |
- | ====New Private Key and CSR==== | + | Generating certificate signing requests to send to a certificate authority. |
+ | |||
+ | \\ | ||
+ | ===== New Private Key and CSR ===== | ||
<code bash> | <code bash> | ||
openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key | openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key | ||
</ | </ | ||
- | ====New CSR for an Existing Private Key==== | + | \\ |
+ | ===== New CSR for an Existing Private Key ===== | ||
<code bash> | <code bash> | ||
openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr | openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr | ||
</ | </ | ||
- | ====CSR Based On Existing Certificate==== | + | \\ |
+ | ===== CSR Based On Existing Certificate | ||
<code bash> | <code bash> | ||
openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr | openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr | ||
Line 52: | Line 57: | ||
---- | ---- | ||
- | ===== Certificate Conversions | + | ====== Self-Signed Certificates ====== |
- | ====Convert binary DER to PEM==== | + | Self-signed certificates are for development/ |
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed ===== | ||
+ | |||
+ | Generate a self-signed cert and private key from scratch | ||
+ | <code bash> | ||
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed from Existing Private Key ===== | ||
+ | |||
+ | Generate a self-signed cert from an existing private key | ||
+ | <code bash> | ||
+ | |||
+ | \\ | ||
+ | ===== Generate Self-Signed from Existing Private Key and CSR ===== | ||
+ | |||
+ | Generate a self-signed cert from an existing private key and existing CSR | ||
+ | <code bash> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Certificate Conversions ====== | ||
+ | |||
+ | Converting certificates from one type to another. | ||
+ | |||
+ | \\ | ||
+ | ===== Extract Cert, Key, CA from PFX ===== | ||
+ | * Extract Key<code bash> | ||
+ | * Extract Certificate< | ||
+ | * Extract Certificate Authority< | ||
+ | |||
+ | \\ | ||
+ | ===== Convert binary DER to PEM ===== | ||
<code bash> | <code bash> | ||
openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | ||
</ | </ | ||
- | ====Convert PEM to DER==== | + | \\ |
+ | ===== Convert PEM to DER ===== | ||
<code bash> | <code bash> | ||
openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | ||
</ | </ | ||
- | ====Convert PKCS# | + | \\ |
+ | ===== Convert PKCS# | ||
<code bash> | <code bash> | ||
openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | ||
</ | </ | ||
- | ====Create crt/key from a PFX file==== | + | \\ |
+ | ===== Create crt/key from a PFX file ===== | ||
<code bash> | <code bash> | ||
openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | ||
Line 76: | Line 117: | ||
</ | </ | ||
- | ====Create client crt and intermediate chain cert from .p7b(PKCS7)==== | + | \\ |
+ | ===== Create client crt and intermediate chain cert from .p7b(PKCS7) | ||
Convert p7b to PEM combined, then convert to bundle of certs | Convert p7b to PEM combined, then convert to bundle of certs | ||
Line 92: | Line 134: | ||
---- | ---- | ||
- | =====Cert+Key Matching===== | + | ====== Cert+Key Matching |
Openssl can be used to very that a certificate and key match. | Openssl can be used to very that a certificate and key match. | ||
+ | \\ | ||
Compare to ensure they match | Compare to ensure they match | ||
<code bash> | <code bash> | ||
Line 102: | Line 145: | ||
</ | </ | ||
+ | \\ | ||
Similar method, but running output through md5 hash for a shorter comparison | Similar method, but running output through md5 hash for a shorter comparison | ||
<code bash> | <code bash> | ||
Line 110: | Line 154: | ||
---- | ---- | ||
- | =====Displaying Certificate Contents===== | + | ====== Displaying Certificate Contents |
Display Certificate Contents | Display Certificate Contents | ||
Line 117: | Line 161: | ||
</ | </ | ||
+ | \\ | ||
Display CSR Contents | Display CSR Contents | ||
<code bash> | <code bash> | ||
Line 124: | Line 169: | ||
---- | ---- | ||
- | =====Verification===== | + | ====== Verification |
To verify that an intermediate cert and client certificate pass a chain of authority test: | To verify that an intermediate cert and client certificate pass a chain of authority test: | ||
Line 131: | Line 176: | ||
</ | </ | ||
+ | \\ | ||
Remotely check a site's certificate and fingerprint it | Remotely check a site's certificate and fingerprint it | ||
<code bash> | <code bash> | ||
openssl s_client -connect < | openssl s_client -connect < | ||
</ | </ | ||
+ | |||
+ | ---- | ||
+ |