OpenSSL usage tips and examples: Difference between revisions
No edit summary |
|||
| (10 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
OpenSSL can be a complicated | {{TRADS}} | ||
== Introduction == | |||
The OpenSSL (http://openssl.org/) toolkit can be a complicated beast for the new user. This tutorial page intends to | |||
shed some light on how to accomplish some typical operations, such as viewing | shed some light on how to accomplish some typical operations, such as viewing | ||
an x.509 (also called SSL/TLS) certificate details or creating a SSL (client) connection to an email | |||
server that supports STARTTLS. | server that supports STARTTLS. | ||
== Create self-signed certificate (and key) == | Keywords: openssl, tutorial, instructions, cheatsheet, howto, how-to, guide, ssl, tls, encryption, pki, x509, x.509, certificate, key, cert, crt, csr, pem, request, sign, signer, signing, authority, revoke, revocation, crl, ocsp, online, protocol, sha1, md5 | ||
== Create 2 year self-signed certificate (and key) == | |||
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt | openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt | ||
== Create 2 year self-signed certificate with existing key == | |||
openssl req -key www.example.com.key -new -days 730 -nodes -x509 -out www.example.com.crt | |||
== Generate a new CSR with a new key == | == Generate a new CSR with a new key == | ||
| Line 32: | Line 39: | ||
== Convert DER (binary) to PEM (base-64) format == | == Convert DER (binary) to PEM (base-64) format == | ||
Converts a DER format certificate to PEM - which is more widely used in applications such as apache. | Converts a DER format certificate to PEM - which is more widely used in applications such as apache. | ||
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der | openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der | ||
| Line 47: | Line 54: | ||
See also: <code>man x509</code> | See also: <code>man x509</code> | ||
== Verify a key & certificate match == | |||
Use the modulus flag for x509 or rsa | |||
$ openssl x509 -noout -modulus -in example.crt | openssl md5 | |||
(stdin)= dcdcc62746914ff3fd951e624a0431f8 | |||
$ openssl rsa -noout -modulus -in example.key | openssl md5 | |||
(stdin)= dcdcc62746914ff3fd951e624a0431f8 | |||
If the two hashes match, the cert and key are a valid pair. | |||
== Testing STARTTLS == | == Testing STARTTLS == | ||
| Line 60: | Line 76: | ||
[[Category:Security]] | [[Category:Security]] | ||
[[Category: | [[Category:Networking]] | ||
[[Category: | [[Category:Applications]] | ||
Latest revision as of 11:15, 31 March 2016
Introduction
The OpenSSL (http://openssl.org/) toolkit can be a complicated beast for the new user. This tutorial page intends to shed some light on how to accomplish some typical operations, such as viewing an x.509 (also called SSL/TLS) certificate details or creating a SSL (client) connection to an email server that supports STARTTLS.
Keywords: openssl, tutorial, instructions, cheatsheet, howto, how-to, guide, ssl, tls, encryption, pki, x509, x.509, certificate, key, cert, crt, csr, pem, request, sign, signer, signing, authority, revoke, revocation, crl, ocsp, online, protocol, sha1, md5
Create 2 year self-signed certificate (and key)
openssl req -new -newkey rsa:1024 -days 730 -nodes -x509 -keyout www.example.com.key -out www.example.com.crt
Create 2 year self-signed certificate with existing key
openssl req -key www.example.com.key -new -days 730 -nodes -x509 -out www.example.com.crt
Generate a new CSR with a new key
openssl req -new -nodes -keyout <newkeyfile>.key -out <commonname>.csr
Generate a new CSR with an existing key
openssl req -new -key <keyfile>.key -out <commonname>.csr
View certificates details
openssl x509 -in filename.crt -noout -text
Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem.
See also: man x509
View the details of a certificate revocation list (CRL)
openssl crl -in filename.crl -noout -text
Where filename corresponds to the CRL file, which typically would end in .crl or .pem
See also: man crl
Convert DER (binary) to PEM (base-64) format
Converts a DER format certificate to PEM - which is more widely used in applications such as apache.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der
See also: man x509
Generate the hash value from a certificate
Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.
openssl x509 -hash -noout -in certfile.pem
Put another way, here is how to generate the linkage required for a certificate CA path of /etc/ssl/certs for a given cert.
cd /etc/ssl/certs sudo ln -s certfile.pem `openssl x509 -hash -noout -in certfile.pem`.0
See also: man x509
Verify a key & certificate match
Use the modulus flag for x509 or rsa
$ openssl x509 -noout -modulus -in example.crt | openssl md5 (stdin)= dcdcc62746914ff3fd951e624a0431f8 $ openssl rsa -noout -modulus -in example.key | openssl md5 (stdin)= dcdcc62746914ff3fd951e624a0431f8
If the two hashes match, the cert and key are a valid pair.
Testing STARTTLS
Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts
Note: only support in newer versions of openssl (check man page for -starttls option)
See also: man s_client