Docu review done: Mon 03 Jul 2023 17:09:28 CEST
Commands
| Command | Description |
|---|---|
openssl req -in <domain>.csr -noout -text | shows informations from csr (csr..certificate signing request) |
openssl x509 -text -noout -in <certfile> | shows details about local certificate |
openssl s_client -showcerts -servername example.com -connect example.com:443 </dev/null | Connects to server and shows cert |
openssl s_client -showcerts -connect example.com:443 </dev/null | Connects to servers and shows cert |
echo | openssl s_client -showcerts example.com -connect example.com:443 2>/dev/null | openssl x509 -text | Connects to server and show cert details |
openssl s_client -starttls postgres -connect my_postgresql_server:5432 | openssl x509 -text | Connects to postgresql service and shows cert details |
Validate key-file against cert-file (if needed also against csr)
Option 1: via check sum (external binary)
$ openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha512sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b -
$ openssl pkey -in privateKey.key -pubout -outform pem | sha512sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b -
$ openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
26d0710ae90e9a916b6d1dc5e5c5db891feafc770108c2a83b76e8938ccde7b93a9bf2c30f058303b9ae759b593f5921eb2892a2c12fb1cc452f4b5092b5296b -
Option 2: via check sum (openssl binary)
$ openssl x509 -text -noout -modulus -in certificate.crt | openssl md5
(stdin)= 5de137fcbec70689b390235cc0de0ab5
$ openssl rsa -text -noout -modulus -in privateKey.key | openssl md5
(stdin)= 5de137fcbec70689b390235cc0de0ab5
Option 3: via matching modulus
$ openssl x509 -text -noout -modulus -in certificate.crt | grep "Modulus="
Modulus=9CD8C9C81E0BF0C40...
$ openssl rsa -text -noout -modulus -in privateKey.key | grep "Modulus="
Modulus=9CD8C9C81E0BF0C40...
convert p12 into pem
check the order of the certificate chain in the pem file. issuer must be below signed certificate. (cert => signed by => signed by => ca) position of private key does aparently not matter I had it at the very end
$ openssl pkcs12 -in path.p12 -out newfile.pem -nodes
Or, if you want to provide a password for the private key, omit -nodes and input a password:
$ openssl pkcs12 -in path.p12 -out newfile.pem
Extract cacerts from pkcs12
$ openssl pkcs12 -in elasticsearch-certificates.p12 -cacerts -nokeys -out ca.crt
Private key handling
# generate a new 4096 bit RSA key without password
$ openssl genrsa -out file.key 4096
# verify a key
$ openssl pkey -in file.key -noout -check
# get some details about a key
$ openssl pkey -in file.key -noout -text
CSR handling
# generate a new csr for an existing key interactively
$ openssl req -out file.csr -key file.key -new
# get some details about a csr:
$ openssl req -in file.csr -noout -text
Generate self signed certificate with one command (e.g. CA)
$ openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt
Generate new key and csr and sign it with ca (e.g. server cert) serial not correct though
$ openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key
$ openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
sign a csr or generate a certificate valid for 5minutes for testing
$ faketime '23hours ago 55min ago' openssl x509 -req -in server.csr -days 1 -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt