Differences

This shows you the differences between two versions of the page.

--- linux_wiki:openssl [2015/04/06 16:50]
billdozor [Cert+Key Matching]
+++ linux_wiki:openssl [2019/05/25 23:50] (current)
@@ Line 6: / Line 6: @@
 **Checklist**
-  * Distros: All
+  * Distro(s): Any
 ----
-===== Certificate Encoding =====
+====== Certificate Encoding ======
   * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
@@ Line 26: / Line 26: @@
 ----
-===== Common Extensions =====
+====== Common Extensions ======
   * .crt - Used for certificates, commonly on *nix systems.
   * .cer - Used for certificates, commonly on Windows.
@@ Line 33: / Line 33: @@
 ----
-===== Generate Certificate Signing Requests =====
+====== Generate Certificate Signing Requests ======
-====New Private Key and CSR====
+Generating certificate signing requests to send to a certificate authority.
+\\
+===== New Private Key and CSR =====
 <code bash>
-openssl req -out MYSITE.csr -new -newkey rsa:2048 -nodes -keyout MYSITE.key
+openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
 </code>
-====New CSR for an Existing Private Key====
+\\
+===== New CSR for an Existing Private Key =====
 <code bash>
-openssl req -out MYSITE.csr -key MYSITE.key -new
+openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
 </code>
-====CSR Based On Existing Certificate====
+\\
+===== CSR Based On Existing Certificate =====
 <code bash>
-openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey MYSITE.key
+openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
 </code>
 ----
-===== Certificate Conversions =====
+====== Self-Signed Certificates ======
-====Convert binary DER to PEM====
+Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority.
+\\
+===== Generate Self-Signed =====
+Generate a self-signed cert and private key from scratch
+<code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code>
+\\
+===== Generate Self-Signed from Existing Private Key =====
+Generate a self-signed cert from an existing private key
+<code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code>
+\\
+===== Generate Self-Signed from Existing Private Key and CSR =====
+Generate a self-signed cert from an existing private key and existing CSR
+<code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code>
+----
+====== Certificate Conversions ======
+Converting certificates from one type to another.
+\\
+===== Extract Cert, Key, CA from PFX =====
+  * Extract Key<code bash>openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key</code>
+  * Extract Certificate<code bash>openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt</code>
+  * Extract Certificate Authority<code bash>openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt</code>
+\\
+===== Convert binary DER to PEM =====
 <code bash>
 openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
 </code>
-====Convert PEM to DER====
+\\
+===== Convert PEM to DER =====
 <code bash>
 openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
 </code>
-====Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM====
+\\
+===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM =====
 <code bash>
 openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
 </code>
-====Create crt/key from a PFX file====
+\\
+===== Create crt/key from a PFX file =====
 <code bash>
 openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
@@ Line 75: / Line 116: @@
 openssl pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
 </code>
+\\
+===== Create client crt and intermediate chain cert from .p7b(PKCS7) =====
+Convert p7b to PEM combined, then convert to bundle of certs
+<code bash>
+openssl pkcs7 -inform DER -outform PEM -in mysite.p7b -out mysite.p7b.pem
+openssl pkcs7 -print_certs -in mysite.p7b.pem -out mysite.p7b.bundle
+</code>
+View the "mysite.p7b.bundle" file:
+  * The top BEGIN/END block is the client cert
+    * Copy that single BEGIN/END into a new file for the client cert
+  * The rest is the certificate chain
+    * Copy all the rest into a new file for the intermediate chain cert
 ----
-=====Cert+Key Matching=====
+====== Cert+Key Matching ======
 Openssl can be used to very that a certificate and key match.
+\\
 Compare to ensure they match
 <code bash>
@@ Line 88: / Line 145: @@
 </code>
+\\
 Similar method, but running output through md5 hash for a shorter comparison
 <code bash>
@@ Line 96: / Line 154: @@
 ----
-=====Displaying Certificate Contents=====
+====== Displaying Certificate Contents ======
+Display Certificate Contents
+<code bash>
+openssl x509 -in mysite.crt -text
+</code>
+\\
+Display CSR Contents
+<code bash>
+openssl req -in mysite.csr -text
+</code>
+----
+====== Verification ======
+To verify that an intermediate cert and client certificate pass a chain of authority test:
+<code bash>
+openssl verify -CAfile mysites_intermediate.crt mysite.crt
+</code>
+\\
+Remotely check a site's certificate and fingerprint it
+<code bash>
+openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint
+</code>
+----
-TODO