linux_wiki:openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_wiki:openssl [2015/04/28 18:44]
billdozor [New CSR for an Existing Private Key]
linux_wiki:openssl [2019/05/25 23:50] (current)
Line 6: Line 6:
  
 **Checklist** **Checklist**
-  * DistrosAll+  * Distro(s)Any
  
 ---- ----
  
-===== Certificate Encoding =====+====== Certificate Encoding ======
  
   * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.   * Privacy Enhanced Mail (PEM) - One of the most common certificate encodings. ASCII format.
Line 26: Line 26:
 ---- ----
  
-===== Common Extensions =====+====== Common Extensions ======
   * .crt - Used for certificates, commonly on *nix systems.   * .crt - Used for certificates, commonly on *nix systems.
   * .cer - Used for certificates, commonly on Windows.   * .cer - Used for certificates, commonly on Windows.
Line 33: Line 33:
 ---- ----
  
-===== Generate Certificate Signing Requests =====+====== Generate Certificate Signing Requests ======
  
-====New Private Key and CSR====+Generating certificate signing requests to send to a certificate authority. 
 + 
 +\\ 
 +===== New Private Key and CSR =====
 <code bash> <code bash>
-openssl req -out MYSITE.csr -new -newkey rsa:2048 -nodes -keyout MYSITE.key+openssl req -new -newkey rsa:2048 -nodes -out MYSITE.csr -keyout MYSITE.key
 </code> </code>
  
-====New CSR for an Existing Private Key====+\\ 
 +===== New CSR for an Existing Private Key =====
 <code bash> <code bash>
 openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr openssl req -sha256 -new -key MYSITE.key -out MYSITE.csr
 </code>  </code> 
  
-====CSR Based On Existing Certificate====+\\ 
 +===== CSR Based On Existing Certificate =====
 <code bash> <code bash>
-openssl x509 -x509toreq -in MYSITE.crt -out MYSITE.csr -signkey MYSITE.key+openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
 </code> </code>
  
 ---- ----
  
-===== Certificate Conversions =====+====== Self-Signed Certificates ======
  
-====Convert binary DER to PEM====+Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority. 
 + 
 +\\ 
 +===== Generate Self-Signed ===== 
 + 
 +Generate a self-signed cert and private key from scratch 
 +<code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code> 
 + 
 +\\ 
 +===== Generate Self-Signed from Existing Private Key ===== 
 + 
 +Generate a self-signed cert from an existing private key 
 +<code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code> 
 + 
 +\\ 
 +===== Generate Self-Signed from Existing Private Key and CSR ===== 
 + 
 +Generate a self-signed cert from an existing private key and existing CSR 
 +<code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code> 
 + 
 +---- 
 + 
 +====== Certificate Conversions ====== 
 + 
 +Converting certificates from one type to another. 
 + 
 +\\ 
 +===== Extract Cert, Key, CA from PFX ===== 
 +  * Extract Key<code bash>openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key</code> 
 +  * Extract Certificate<code bash>openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt</code> 
 +  * Extract Certificate Authority<code bash>openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt</code> 
 + 
 +\\ 
 +===== Convert binary DER to PEM =====
 <code bash> <code bash>
 openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem openssl x509 -inform der -in MYSITE.cer -out MYSITE.pem
 </code> </code>
  
-====Convert PEM to DER====+\\ 
 +===== Convert PEM to DER =====
 <code bash> <code bash>
 openssl x509 -outform der -in MYSITE.pem -out MYSITE.der openssl x509 -outform der -in MYSITE.pem -out MYSITE.der
 </code> </code>
  
-====Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM====+\\ 
 +===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM =====
 <code bash> <code bash>
 openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes openssl pkcs12 -in MYSITE-KEYSTORE.pfx -out MYSITE.pem -nodes
 </code> </code>
  
-====Create crt/key from a PFX file====+\\ 
 +===== Create crt/key from a PFX file =====
 <code bash> <code bash>
 openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem openssl pkcs12 -in mysite.pfx -nocerts -out mysite.key.pem
Line 76: Line 117:
 </code> </code>
  
-====Create client crt and intermediate chain cert from .p7b(PKCS7)====+\\ 
 +===== Create client crt and intermediate chain cert from .p7b(PKCS7) =====
  
 Convert p7b to PEM combined, then convert to bundle of certs Convert p7b to PEM combined, then convert to bundle of certs
Line 92: Line 134:
 ---- ----
  
-=====Cert+Key Matching=====+====== Cert+Key Matching ======
  
 Openssl can be used to very that a certificate and key match. Openssl can be used to very that a certificate and key match.
  
 +\\
 Compare to ensure they match Compare to ensure they match
 <code bash> <code bash>
Line 102: Line 145:
 </code> </code>
  
 +\\
 Similar method, but running output through md5 hash for a shorter comparison Similar method, but running output through md5 hash for a shorter comparison
 <code bash> <code bash>
Line 110: Line 154:
 ---- ----
  
-=====Displaying Certificate Contents=====+====== Displaying Certificate Contents ======
  
 Display Certificate Contents Display Certificate Contents
Line 117: Line 161:
 </code> </code>
  
 +\\
 Display CSR Contents Display CSR Contents
 <code bash> <code bash>
Line 124: Line 169:
 ---- ----
  
-=====Verification=====+====== Verification ======
  
 To verify that an intermediate cert and client certificate pass a chain of authority test: To verify that an intermediate cert and client certificate pass a chain of authority test:
Line 130: Line 175:
 openssl verify -CAfile mysites_intermediate.crt mysite.crt openssl verify -CAfile mysites_intermediate.crt mysite.crt
 </code> </code>
 +
 +\\
 +Remotely check a site's certificate and fingerprint it
 +<code bash>
 +openssl s_client -connect <domain>:443 -showcerts | openssl x509 -text -fingerprint
 +</code>
 +
 +----
 +
  • linux_wiki/openssl.1430261054.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)