linux_wiki:openssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_wiki:openssl [2016/12/02 11:16]
billdozor
linux_wiki:openssl [2019/05/25 23:50] (current)
Line 35: Line 35:
 ====== Generate Certificate Signing Requests ====== ====== Generate Certificate Signing Requests ======
  
 +Generating certificate signing requests to send to a certificate authority.
 +
 +\\
 ===== New Private Key and CSR ===== ===== New Private Key and CSR =====
 <code bash> <code bash>
Line 40: Line 43:
 </code> </code>
  
 +\\
 ===== New CSR for an Existing Private Key ===== ===== New CSR for an Existing Private Key =====
 <code bash> <code bash>
Line 45: Line 49:
 </code>  </code> 
  
 +\\
 ===== CSR Based On Existing Certificate ===== ===== CSR Based On Existing Certificate =====
 <code bash> <code bash>
 openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr openssl x509 -x509toreq -in MYSITE.crt -signkey MYSITE.key -out MYSITE.csr
 </code> </code>
 +
 +----
 +
 +====== Self-Signed Certificates ======
 +
 +Self-signed certificates are for development/home use. They encrypt traffic just fine, but end users will see a warning message since the cert is not signed by a valid certificate authority.
 +
 +\\
 +===== Generate Self-Signed =====
 +
 +Generate a self-signed cert and private key from scratch
 +<code bash>openssl req -newkey rsa:2048 -nodes -keyout MYSITE.key -x509 -days 365 -out MYSITE.crt</code>
 +
 +\\
 +===== Generate Self-Signed from Existing Private Key =====
 +
 +Generate a self-signed cert from an existing private key
 +<code bash>openssl req -key MYSITE.key -new -x509 -days 365 -out MYSITE.crt</code>
 +
 +\\
 +===== Generate Self-Signed from Existing Private Key and CSR =====
 +
 +Generate a self-signed cert from an existing private key and existing CSR
 +<code bash>openssl x509 -signkey MYSITE.key -in MYSITE.csr -req -days 365 -out MYSITE.crt</code>
  
 ---- ----
Line 54: Line 83:
 ====== Certificate Conversions ====== ====== Certificate Conversions ======
  
 +Converting certificates from one type to another.
 +
 +\\
 +===== Extract Cert, Key, CA from PFX =====
 +  * Extract Key<code bash>openssl pkcs12 -in mycertpack.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > mykey.key</code>
 +  * Extract Certificate<code bash>openssl pkcs12 -in mycertpack.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.crt</code>
 +  * Extract Certificate Authority<code bash>openssl pkcs12 -in mycertpack.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myCA.crt</code>
 +
 +\\
 ===== Convert binary DER to PEM ===== ===== Convert binary DER to PEM =====
 <code bash> <code bash>
Line 59: Line 97:
 </code> </code>
  
 +\\
 ===== Convert PEM to DER ===== ===== Convert PEM to DER =====
 <code bash> <code bash>
Line 64: Line 103:
 </code> </code>
  
 +\\
 ===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM ===== ===== Convert PKCS#12(.pfx, .p12) that has a private key and certs to PEM =====
 <code bash> <code bash>
Line 69: Line 109:
 </code> </code>
  
 +\\
 ===== Create crt/key from a PFX file ===== ===== Create crt/key from a PFX file =====
 <code bash> <code bash>
Line 76: Line 117:
 </code> </code>
  
 +\\
 ===== Create client crt and intermediate chain cert from .p7b(PKCS7) ===== ===== Create client crt and intermediate chain cert from .p7b(PKCS7) =====
  
Line 96: Line 138:
 Openssl can be used to very that a certificate and key match. Openssl can be used to very that a certificate and key match.
  
 +\\
 Compare to ensure they match Compare to ensure they match
 <code bash> <code bash>
Line 102: Line 145:
 </code> </code>
  
 +\\
 Similar method, but running output through md5 hash for a shorter comparison Similar method, but running output through md5 hash for a shorter comparison
 <code bash> <code bash>
Line 117: Line 161:
 </code> </code>
  
 +\\
 Display CSR Contents Display CSR Contents
 <code bash> <code bash>
Line 131: Line 176:
 </code> </code>
  
 +\\
 Remotely check a site's certificate and fingerprint it Remotely check a site's certificate and fingerprint it
 <code bash> <code bash>
  • linux_wiki/openssl.1480695403.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)