Differences
This shows you the differences between two versions of the page.
linux_wiki:openssl [2018/02/22 22:52] billdozor [Generate Self-Signed] |
linux_wiki:openssl [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== OpenSSL ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Any | ||
- | |||
- | ---- | ||
- | |||
- | ====== Certificate Encoding ====== | ||
- | |||
- | * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | ||
- | <code bash> | ||
- | -----BEGIN CERTIFICATE----- | ||
- | -----END CERTIFICATE----- | ||
- | Or | ||
- | -----BEGIN PRIVATE KEY----- | ||
- | -----END PRIVATE KEY----- | ||
- | </ | ||
- | * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain) | ||
- | * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file. | ||
- | * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Common Extensions ====== | ||
- | * .crt - Used for certificates, | ||
- | * .cer - Used for certificates, | ||
- | * .key - Public/ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Generate Certificate Signing Requests ====== | ||
- | |||
- | Generating certificate signing requests to send to a certificate authority. | ||
- | |||
- | \\ | ||
- | ===== New Private Key and CSR ===== | ||
- | <code bash> | ||
- | openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== New CSR for an Existing Private Key ===== | ||
- | <code bash> | ||
- | openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== CSR Based On Existing Certificate ===== | ||
- | <code bash> | ||
- | openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Self-Signed Certificates ====== | ||
- | |||
- | Self-signed certificates are for development/ | ||
- | |||
- | \\ | ||
- | ===== Generate Self-Signed ===== | ||
- | |||
- | Generate a self-signed cert and private key from scratch | ||
- | <code bash> | ||
- | |||
- | \\ | ||
- | ===== Generate Self-Signed from Existing Private Key ===== | ||
- | |||
- | Generate a self-signed cert from an existing private key | ||
- | <code bash></ | ||
- | |||
- | \\ | ||
- | ===== Generate Self-Signed from Existing Private Key and CSR ===== | ||
- | |||
- | Generate a self-signed cert from an existing private key and existing CSR | ||
- | <code bash></ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Certificate Conversions ====== | ||
- | |||
- | Converting certificates from one type to another. | ||
- | |||
- | \\ | ||
- | ===== Convert binary DER to PEM ===== | ||
- | <code bash> | ||
- | openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== Convert PEM to DER ===== | ||
- | <code bash> | ||
- | openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== Convert PKCS# | ||
- | <code bash> | ||
- | openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== Create crt/key from a PFX file ===== | ||
- | <code bash> | ||
- | openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | ||
- | openssl rsa -in mysite.key.pem -out mysite.key | ||
- | openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt | ||
- | </ | ||
- | |||
- | \\ | ||
- | ===== Create client crt and intermediate chain cert from .p7b(PKCS7) ===== | ||
- | |||
- | Convert p7b to PEM combined, then convert to bundle of certs | ||
- | <code bash> | ||
- | openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem | ||
- | openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle | ||
- | </ | ||
- | |||
- | View the " | ||
- | * The top BEGIN/END block is the client cert | ||
- | * Copy that single BEGIN/END into a new file for the client cert | ||
- | * The rest is the certificate chain | ||
- | * Copy all the rest into a new file for the intermediate chain cert | ||
- | |||
- | ---- | ||
- | |||
- | ====== Cert+Key Matching ====== | ||
- | |||
- | Openssl can be used to very that a certificate and key match. | ||
- | |||
- | \\ | ||
- | Compare to ensure they match | ||
- | <code bash> | ||
- | openssl x509 -noout -text -in mysite.crt | ||
- | openssl rsa -noout -text -in mysite.key | ||
- | </ | ||
- | |||
- | \\ | ||
- | Similar method, but running output through md5 hash for a shorter comparison | ||
- | <code bash> | ||
- | openssl x509 -noout -text -in mysite.crt | openssl md5 | ||
- | openssl rsa -noout -text -in mysite.key | openssl md5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Displaying Certificate Contents ====== | ||
- | |||
- | Display Certificate Contents | ||
- | <code bash> | ||
- | openssl x509 -in mysite.crt -text | ||
- | </ | ||
- | |||
- | \\ | ||
- | Display CSR Contents | ||
- | <code bash> | ||
- | openssl req -in mysite.csr -text | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Verification ====== | ||
- | |||
- | To verify that an intermediate cert and client certificate pass a chain of authority test: | ||
- | <code bash> | ||
- | openssl verify -CAfile mysites_intermediate.crt mysite.crt | ||
- | </ | ||
- | |||
- | \\ | ||
- | Remotely check a site's certificate and fingerprint it | ||
- | <code bash> | ||
- | openssl s_client -connect < | ||
- | </ | ||
- | |||
- | ---- | ||