OpenSSL usage tips and examples: Difference between revisions

Revision as of 17:00, 9 April 2008

OpenSSL can be a complicated application to be sure. This page intends to shed some light on how to accomplish some typical operations, such as viewing a certificates details or creating a SSL (client) connection to an email server that supports STARTTLS.

Create self-signed certificate (and key)

openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt

View certificates details

openssl x509 -in filename.crt -noout -text

Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.

View the details of a certificate revocation list (CRL)

openssl crl -in filename  -noout -text

Where filename corresponds to the CRL file, which typically would end in .crl or .pem

Convert DER (binary) to PEM (base-64) format

Converts a DER format certificate to PEM - which is more widely used in applications such as apache.

openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der See also: man x509

Generate the hash value from a certificate

Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.

openssl x509 -hash -noout -in certfile.pem

Testing STARTTLS

Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.

openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts

Note: only support in newer versions of openssl (check man page for -starttls option)

@@ Line 1: / Line 1: @@
-{{TRADS}}
 __NOTOC__
@@ Line 6: / Line 5: @@
 a certificates details or creating a SSL (client) connection to an email
 server that supports STARTTLS.
+== Create self-signed certificate (and key) ==
+ openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt
 == View certificates details ==