Differences
This shows you the differences between two versions of the page.
|
linux_wiki:openssl [2018/02/22 22:56] billdozor [Generate Self-Signed from Existing Private Key and CSR] |
linux_wiki:openssl [2019/05/25 23:50] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenSSL ====== | ||
| - | |||
| - | **General Information** | ||
| - | |||
| - | Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats. | ||
| - | |||
| - | **Checklist** | ||
| - | * Distro(s): Any | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Certificate Encoding ====== | ||
| - | |||
| - | * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. | ||
| - | <code bash> | ||
| - | -----BEGIN CERTIFICATE----- | ||
| - | -----END CERTIFICATE----- | ||
| - | Or | ||
| - | -----BEGIN PRIVATE KEY----- | ||
| - | -----END PRIVATE KEY----- | ||
| - | </ | ||
| - | * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain) | ||
| - | * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file. | ||
| - | * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates. | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Common Extensions ====== | ||
| - | * .crt - Used for certificates, | ||
| - | * .cer - Used for certificates, | ||
| - | * .key - Public/ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Generate Certificate Signing Requests ====== | ||
| - | |||
| - | Generating certificate signing requests to send to a certificate authority. | ||
| - | |||
| - | \\ | ||
| - | ===== New Private Key and CSR ===== | ||
| - | <code bash> | ||
| - | openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== New CSR for an Existing Private Key ===== | ||
| - | <code bash> | ||
| - | openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== CSR Based On Existing Certificate ===== | ||
| - | <code bash> | ||
| - | openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Self-Signed Certificates ====== | ||
| - | |||
| - | Self-signed certificates are for development/ | ||
| - | |||
| - | \\ | ||
| - | ===== Generate Self-Signed ===== | ||
| - | |||
| - | Generate a self-signed cert and private key from scratch | ||
| - | <code bash> | ||
| - | |||
| - | \\ | ||
| - | ===== Generate Self-Signed from Existing Private Key ===== | ||
| - | |||
| - | Generate a self-signed cert from an existing private key | ||
| - | <code bash> | ||
| - | |||
| - | \\ | ||
| - | ===== Generate Self-Signed from Existing Private Key and CSR ===== | ||
| - | |||
| - | Generate a self-signed cert from an existing private key and existing CSR | ||
| - | <code bash> | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Certificate Conversions ====== | ||
| - | |||
| - | Converting certificates from one type to another. | ||
| - | |||
| - | \\ | ||
| - | ===== Convert binary DER to PEM ===== | ||
| - | <code bash> | ||
| - | openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== Convert PEM to DER ===== | ||
| - | <code bash> | ||
| - | openssl x509 -outform der -in MYSITE.pem -out MYSITE.der | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== Convert PKCS# | ||
| - | <code bash> | ||
| - | openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== Create crt/key from a PFX file ===== | ||
| - | <code bash> | ||
| - | openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem | ||
| - | openssl rsa -in mysite.key.pem -out mysite.key | ||
| - | openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | ===== Create client crt and intermediate chain cert from .p7b(PKCS7) ===== | ||
| - | |||
| - | Convert p7b to PEM combined, then convert to bundle of certs | ||
| - | <code bash> | ||
| - | openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem | ||
| - | openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle | ||
| - | </ | ||
| - | |||
| - | View the " | ||
| - | * The top BEGIN/END block is the client cert | ||
| - | * Copy that single BEGIN/END into a new file for the client cert | ||
| - | * The rest is the certificate chain | ||
| - | * Copy all the rest into a new file for the intermediate chain cert | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Cert+Key Matching ====== | ||
| - | |||
| - | Openssl can be used to very that a certificate and key match. | ||
| - | |||
| - | \\ | ||
| - | Compare to ensure they match | ||
| - | <code bash> | ||
| - | openssl x509 -noout -text -in mysite.crt | ||
| - | openssl rsa -noout -text -in mysite.key | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | Similar method, but running output through md5 hash for a shorter comparison | ||
| - | <code bash> | ||
| - | openssl x509 -noout -text -in mysite.crt | openssl md5 | ||
| - | openssl rsa -noout -text -in mysite.key | openssl md5 | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Displaying Certificate Contents ====== | ||
| - | |||
| - | Display Certificate Contents | ||
| - | <code bash> | ||
| - | openssl x509 -in mysite.crt -text | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | Display CSR Contents | ||
| - | <code bash> | ||
| - | openssl req -in mysite.csr -text | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ====== Verification ====== | ||
| - | |||
| - | To verify that an intermediate cert and client certificate pass a chain of authority test: | ||
| - | <code bash> | ||
| - | openssl verify -CAfile mysites_intermediate.crt mysite.crt | ||
| - | </ | ||
| - | |||
| - | \\ | ||
| - | Remotely check a site's certificate and fingerprint it | ||
| - | <code bash> | ||
| - | openssl s_client -connect < | ||
| - | </ | ||
| - | |||
| - | ---- | ||