OpenSSL usage tips and examples: Difference between revisions
Fostermarkd (talk | contribs) No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt | openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt | ||
== Generate a new CSR with a new key == | |||
openssl req -new -nodes -keyout <newkeyfile>.key -out <commonname>.csr | |||
== Generate a new CSR with an existing key == | |||
openssl req -new -key <keyfile>.key -out <commonname>.csr | |||
== View certificates details == | == View certificates details == | ||
| Line 17: | Line 24: | ||
== View the details of a certificate revocation list (CRL) == | == View the details of a certificate revocation list (CRL) == | ||
openssl crl -in filename -noout -text | openssl crl -in filename.crl -noout -text | ||
Where filename corresponds to the CRL file, which typically would end in .crl | Where filename corresponds to the CRL file, which typically would end in .crl | ||
Revision as of 12:59, 19 September 2008
OpenSSL can be a complicated application to be sure. This page intends to shed some light on how to accomplish some typical operations, such as viewing a certificates details or creating a SSL (client) connection to an email server that supports STARTTLS.
Create self-signed certificate (and key)
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt
Generate a new CSR with a new key
openssl req -new -nodes -keyout <newkeyfile>.key -out <commonname>.csr
Generate a new CSR with an existing key
openssl req -new -key <keyfile>.key -out <commonname>.csr
View certificates details
openssl x509 -in filename.crt -noout -text
Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.
See also: man x509
View the details of a certificate revocation list (CRL)
openssl crl -in filename.crl -noout -text
Where filename corresponds to the CRL file, which typically would end in .crl or .pem
See also: man crl
Convert DER (binary) to PEM (base-64) format
Converts a DER format certificate to PEM - which is more widely used in applications such as apache.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
See also: man x509
Generate the hash value from a certificate
Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.
openssl x509 -hash -noout -in certfile.pem
Put another way, here is how to generate the linkage required for a certificate CA path of /etc/ssl/certs for a given cert.
cd /etc/ssl/certs sudo ln -s certfile.pem `openssl x509 -hash -noout -in certfile.pem`.0
See also: man x509
Testing STARTTLS
Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts
Note: only support in newer versions of openssl (check man page for -starttls option)
See also: man s_client