Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== OpenSSL ====== **General Information** Openssl is a tool to perform many certificate related tasks such as creating a CSR, verifying certs+keys, and converting formats. **Checklist** * Distro(s): Any ---- ====== Certificate Encoding ====== * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format. <code bash> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Or -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </code> * PKCS #7 B (P7B) - Represents a set of certificates. (IE a certificate chain) * PKCS #12/PFX/P12 - Lets you put a private key and certificate into a single file. * Distinguished Encoding Rules (DER) - Binary format most commonly used to represent certificates. ---- ====== Common Extensions ====== * .crt - Used for certificates, commonly on *nix systems. * .cer - Used for certificates, commonly on Windows. * .key - Public/private pkcs keys, encoded as binary DER or ASCII PEM. ---- ====== Generate Certificate Signing Requests ====== Generating certificate signing requests to send to a certificate authority. \\ ===== New Private Key and CSR ===== <code bash> openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key </code> \\ ===== New CSR for an Existing Private Key ===== <code bash> openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr </code> \\ ===== CSR Based On Existing Certificate ===== <code bash> openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr </code> ---- ====== Self-Signed Certificates ====== Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority. \\ ===== Generate Self-Signed ===== Generate a self-signed cert and private key from scratch <code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code> \\ ===== Generate Self-Signed from Existing Private Key ===== Generate a self-signed cert from an existing private key <code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code> \\ ===== Generate Self-Signed from Existing Private Key and CSR ===== Generate a self-signed cert from an existing private key and existing CSR <code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code> ---- ====== Certificate Conversions ====== Converting certificates from one type to another. \\ ===== Extract Cert, Key, CA from PFX ===== * Extract Key<code bash>openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key</code> * Extract Certificate<code bash>openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt</code> * Extract Certificate Authority<code bash>openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt</code> \\ ===== Convert binary DER to PEM ===== <code bash> openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem </code> \\ ===== Convert PEM to DER ===== <code bash> openssl x509 -outform der -in MYSITE.pem -out MYSITE.der </code> \\ ===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM ===== <code bash> openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes </code> \\ ===== Create crt/key from a PFX file ===== <code bash> openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem openssl rsa -in mysite.key.pem -out mysite.key openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt </code> \\ ===== Create client crt and intermediate chain cert from .p7b(PKCS7) ===== Convert p7b to PEM combined, then convert to bundle of certs <code bash> openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle </code> View the "mysite.p7b.bundle" file: * The top BEGIN/END block is the client cert * Copy that single BEGIN/END into a new file for the client cert * The rest is the certificate chain * Copy all the rest into a new file for the intermediate chain cert ---- ====== Cert+Key Matching ====== Openssl can be used to very that a certificate and key match. \\ Compare to ensure they match <code bash> openssl x509 -noout -text -in mysite.crt openssl rsa -noout -text -in mysite.key </code> \\ Similar method, but running output through md5 hash for a shorter comparison <code bash> openssl x509 -noout -text -in mysite.crt | openssl md5 openssl rsa -noout -text -in mysite.key | openssl md5 </code> ---- ====== Displaying Certificate Contents ====== Display Certificate Contents <code bash> openssl x509 -in mysite.crt -text </code> \\ Display CSR Contents <code bash> openssl req -in mysite.csr -text </code> ---- ====== Verification ====== To verify that an intermediate cert and client certificate pass a chain of authority test: <code bash> openssl verify -CAfile mysites_intermediate.crt mysite.crt </code> \\ Remotely check a site's certificate and fingerprint it <code bash> openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint </code> ---- linux_wiki/openssl.txt Last modified: 2019/05/25 23:50(external edit)