OpenSSL usage tips and examples

From ConShell
Jump to navigation Jump to search

Introduction

The OpenSSL (http://openssl.org/) toolkit can be a complicated beast for the new user. This tutorial page intends to shed some light on how to accomplish some typical operations, such as viewing an x.509 (also called SSL/TLS) certificate details or creating a SSL (client) connection to an email server that supports STARTTLS.

Keywords: openssl, tutorial, instructions, cheatsheet, howto, how-to, guide, ssl, tls, encryption, pki, x509, x.509, certificate, key, cert, crt, csr, pem, request, sign, signer, signing, authority, revoke, revocation, crl, ocsp, online, protocol, sha1, md5

Create 2 year self-signed certificate (and key)

openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt

Create 2 year self-signed certificate with existing key

openssl req -key www.example.com.key -new -days 730 -nodes -x509 -out www.example.com.crt

Generate a new CSR with a new key

openssl req -new -nodes -keyout <newkeyfile>.key -out <commonname>.csr

Generate a new CSR with an existing key

openssl req -new -key <keyfile>.key -out <commonname>.csr

View certificates details

openssl x509 -in filename.crt -noout -text

Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.

See also: man x509

View the details of a certificate revocation list (CRL)

openssl crl -in filename.crl  -noout -text

Where filename corresponds to the CRL file, which typically would end in .crl or .pem

See also: man crl

Convert DER (binary) to PEM (base-64) format

Converts a DER format certificate to PEM - which is more widely used in applications such as apache.

openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der

See also: man x509

Generate the hash value from a certificate

Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.

openssl x509 -hash -noout -in certfile.pem

Put another way, here is how to generate the linkage required for a certificate CA path of /etc/ssl/certs for a given cert.

cd /etc/ssl/certs
sudo ln -s certfile.pem `openssl x509 -hash -noout -in certfile.pem`.0

See also: man x509

Verify a key & certificate match

Use the modulus flag for x509 or rsa

$ openssl x509 -noout -modulus -in example.crt | openssl md5
(stdin)= dcdcc62746914ff3fd951e624a0431f8
$ openssl rsa -noout -modulus -in example.key | openssl md5
(stdin)= dcdcc62746914ff3fd951e624a0431f8

If the two hashes match, the cert and key are a valid pair.

Testing STARTTLS

Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.

openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts

Note: only support in newer versions of openssl (check man page for -starttls option)

See also: man s_client