notes:openssl
This is an old revision of the document!
Table of Contents
Create a certificate request
Create a ECC key
Create a ECC private key using the prime256v1 algorithm 1)
openssl ecparam -out server.key -name prime256v1 -genkey
using secp384r1
openssl ecparam -out server.key -name prime256v1 -genkey
Create CSR from key
openssl req -new -nodes -key server.key -out $(hostname -f).csr\ -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\ -addext "subjectAltName=DNS:$(hostname -f)"
One-liner for ECC key
openssl req -new -nodes -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 \ -keyout $(hostname -f).key -out $(hostname -f).csr \ -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)"\ -addext "subjectAltName=DNS:$(hostname -f)"
Create a RSA key
openssl req -new -nodes -keyout newkey.pem -out newreq.pem
Create rsa key and csr
openssl req -new -newkey rsa:2048 -nodes -out example.com.csr \ -keyout example.com.key \ -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=example.com" \ -addext "subjectAltName=DNS:example.com"
one liner for RSA key and csr using system FQDN
openssl req -new -sha256 -nodes -out $(hostname -f).csr -newkey rsa:2048 -keyout $(hostname -f).key -subj "/C=US/ST=IL/L=Springfield/O=ACME Inc/OU=roadrunner/CN=$(hostname -f)" \ -addext "subjectAltName=DNS:$(hostname -f)"
get cert modulus and compare to private key
if [[ "$(openssl x509 -noout -in ${SIGNED_CERT} -modulus)" != "$(openssl rsa -noout -in ${PRIVATE_KEY} -modulus)" ]] ; then
echo "they don't match"
fi
pkcs12
Create pkcs12
for a web browser from a certificate and it's key
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out chrome.p12
If the private and public key are in the same file
openssl pkcs12 -export -in mycert.CRT -out mycertoutput.p12
Convert pkcs12 to pem
first extract the certificate
openssl pkcs12 -in mycert.P12 -nodes -clcerts -out cert
second, extract the key
openssl pkcs12 -in mycert.P12 -nodes -nocerts -out key
Both into one file
openssl pkcs12 -in mycert.P12 -nodes -out mycert.CRT
Create CRL
http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke
openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/isd_crl.crl
openssl ca -revoke CA/newcerts/F069A9B2CEE10A6E.pem -keyfile CA/private/cakey.pem -cert CA/cacert.pem
openssl ca -gencrl -keyfile CA/private/cakey.pem -cert CA/cacert.pem -out CA/my_crl.pem
To display the contents of a CRL certificate:
openssl crl -in my_crl.pem -text
Convert a PEM formatted CRL to DER format for Firefox openssl crl -in crl.pem -outform DER -out new_crl.der
Create a certificate hash
openssl x509 -noout -subject_hash -in selfsigned.pem
Display
Display contents of a certificate file
openssl x509 -in cacert.pem -text
Display certificate request (CSR)
openssl req -in cert.csr -text
openssl s_client
view the details of what the server wants openssl s_client -connect example.com:443 -prexit
Using a client certificate
openssl s_client -cert client.crt -key client.key -connect example.com:44
With certificate verification
openssl s_client -connect example.com:443 -cert mycert.pem -key mykey.pem -CAfile cacert.pem
wget and openssl s_client wget –certificate=mycert.pem –private-key=mykey.pem –ca-certificate=cacert.pem https://example.com –verbose
Encrypting using openssl
openssl enc -e -k 1234 -aes256 -in text.txt -out text.txt.enc
#Signing files
date +%s > restore.txt #sign using rasutl openssl rsautl -sign -in restore.txt -inkey mykey.pem -out restore.sig #verify using rsautl openssl rsautl -verify -in restore.sig -inkey mycert.pem -certin
#smime - Sign and verify openssl smime -sign -in restore.txt -text -out mail.msg -signer mycert.pem -inkey mykey.pem openssl smime -verify -in mail.msg -CAfile cacert.pem -out signedtext.txt
openssl.cnf Should change default_bits to 2048 change nsCertType to just client for client certificates nsComment
index.txt format
mostly copied from http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html
Column 1 – (V)erified, (E)xpired, and (R)evoked First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that.
Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows.
The columns are defined as
#define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */
DB_type is defined as
#define DB_TYPE_REV 'R' /* Revoked */ #define DB_TYPE_EXP 'E' /* Expired */ #define DB_TYPE_VAL 'V' /* Valid */
'E' is currently not used by “openssl ca”, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by “openssl ca”. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format.
revoke_date=`date +%y%m%d%H%M%SZ`
compare key with signed cert
openssl x509 -noout -modulus -in <signed_cert.crt> openssl rsa -noout -modulus -in <cert.key>
and compare the two
References
notes/openssl.1701833854.txt.gz · Last modified: by david