OpenSSL usage tips and examples: Difference between revisions
Fostermarkd (talk | contribs) (initial page from http://mark.foster.cc/kb/openssl-usage-tips.html) |
Fostermarkd (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
Line 6: | Line 5: | ||
a certificates details or creating a SSL (client) connection to an email | a certificates details or creating a SSL (client) connection to an email | ||
server that supports STARTTLS. | server that supports STARTTLS. | ||
== Create self-signed certificate (and key) == | |||
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt | |||
== View certificates details == | == View certificates details == |
Revision as of 17:00, 9 April 2008
OpenSSL can be a complicated application to be sure. This page intends to
shed some light on how to accomplish some typical operations, such as viewing
a certificates details or creating a SSL (client) connection to an email
server that supports STARTTLS.
Create self-signed certificate (and key)
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt
View certificates details
openssl x509 -in filename.crt -noout -text
Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.
See also: man x509
View the details of a certificate revocation list (CRL)
openssl crl -in filename -noout -text
Where filename corresponds to the CRL file, which typically would end in .crl or .pem
See also: man crl
Convert DER (binary) to PEM (base-64) format
Converts a DER format certificate to PEM - which is more widely used in applications such as apache.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
See also: man x509
Generate the hash value from a certificate
Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.
openssl x509 -hash -noout -in certfile.pem
See also: man x509
Testing STARTTLS
Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts
Note: only support in newer versions of openssl (check man page for -starttls option)
See also: man s_client