OpenSSL - Revision history

Kenneth: /* Show Cert Chain */

2026-02-04T21:21:34Z

Show Cert Chain

← Older revision		Revision as of 21:21, 4 February 2026
Line 158:		Line 158:

	To test out a intermediatry CA certificate:		To test out a intermediatry CA certificate:


			Split into 1.pem, 2.pem, etc

			<pre>
			awk 'BEGIN {c=0}
			/BEGIN CERTIFICATE/ {c++}
			{print > c ".pem"}' chain.pem
			</pre>

			One line:
			<pre>awk 'BEGIN {c=0} /BEGIN CERTIFICATE/ {c++} {print > c ".pem"}' chain.pem</pre>

	curl -v --cacert ca.pem https://test.example.com		curl -v --cacert ca.pem https://test.example.com

Kenneth: /* Show Cert Chain */

2026-02-04T21:15:47Z

Show Cert Chain

← Older revision		Revision as of 21:15, 4 February 2026
Line 154:		Line 154:

	Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server		Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

			---

			To test out a intermediatry CA certificate:

			curl -v --cacert ca.pem https://test.example.com

	==Commands==		==Commands==

Kenneth: /* Show Cert Chain */

2024-11-01T07:56:57Z

Show Cert Chain

← Older revision		Revision as of 07:56, 1 November 2024
Line 150:		Line 150:

	openssl s_client -showcerts -connect www.example.com:443 < /dev/null \| openssl x509 -outform DER > derp.der		openssl s_client -showcerts -connect www.example.com:443 < /dev/null \| openssl x509 -outform DER > derp.der

			To get 5 levels add "-verify 5"

	Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server		Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Kenneth: /* Show Cert Chain */

2024-09-17T05:12:39Z

Show Cert Chain

← Older revision		Revision as of 05:12, 17 September 2024
Line 138:		Line 138:

	== Show Cert Chain ==		== Show Cert Chain ==

			openssl s_client -connect www.example.com:443

	openssl s_client -showcerts -connect www.example.com:443 </dev/null		openssl s_client -showcerts -connect www.example.com:443 </dev/null

Kenneth: /* Entire Trust Chain PEM */

2024-09-07T22:03:48Z

Entire Trust Chain PEM

← Older revision		Revision as of 22:03, 7 September 2024
Line 63:		Line 63:
	== Entire Trust Chain PEM ==		== Entire Trust Chain PEM ==

			Entire CERT chain in one: (PREFERRED) <ref>https://www.digicert.com/ssl-support/pem-ssl-creation.htm</ref>
			# The Primary Certificate - your_domain_name.crt
			# The Intermediate Certificate - DigiCertCA.crt
			# The Root Certificate - TrustedRoot.crt

	# The Private Key - your_domain_name.key		Entire PEM in one, including private key: (you don't usually include the private key)
	# The Primary Certificate - your_domain_name.crt		# The Private Key - your_domain_name.key
	# The Intermediate Certificate - DigiCertCA.crt		# The Primary Certificate - your_domain_name.crt
	# The Root Certificate - TrustedRoot.crt		# The Intermediate Certificate - DigiCertCA.crt
			# The Root Certificate - TrustedRoot.crt

			---

	~~Ref https~~:~~//www.digicert~~.com~~/ssl~~-~~support/pem~~-~~ssl~~-~~creation.htm~~		Note put comments # outside of the ---begin cert--- and ---end cert--- Example:
			<pre>
			# CN = example.com
			----BEGIN CERTIFICATE-----
			xxx
			----END CERTIFICATE-----
			# C = US, ST = DE, L = Wilmington, O = Corporation Service Company, CN = Trusted Secure Certificate Authority DV
			----BEGIN CERTIFICATE-----
			xxx
			----END CERTIFICATE-----
			# C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
			----BEGIN CERTIFICATE-----
			xxx
			----END CERTIFICATE-----
			# C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
			----BEGIN CERTIFICATE-----
			xxx
			----END CERTIFICATE-----
			</pre>

	---		---

	The order does matter, according to RFC 4346.		The order does matter, according to RFC 4346.

	Here is a quote directly taken from the RFC:		Here is a quote directly taken from the RFC:
Line 91:		Line 114:
	</pre>		</pre>

	Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.		Based on this information, the server certificate should come first, followed by any intermediate certs, and finally, the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

	<pre>		<pre>

Kenneth: /* Check SSL Certificate */

2024-02-14T20:33:58Z

Check SSL Certificate

← Older revision		Revision as of 20:33, 14 February 2024
Line 286:		Line 286:

	View a certificates' details		View a certificates' details
	openssl x509 -in filename.crt ~~-noout -text~~		openssl x509 -noout -text -in filename.crt

	Viewing the details of a certificate revocation list (CRL)		Viewing the details of a certificate revocation list (CRL)
	openssl crl ~~-in filename~~ -noout -text		openssl crl -noout -text -in filename

	==Remove Password from Private Key==		==Remove Password from Private Key==

Kenneth: /* Let's Encrypt Free SSL Certificates */

2023-05-26T17:40:47Z

Let's Encrypt Free SSL Certificates

New page

==Summary==

== Multi Domain Certificate Request ==

Multi-Domain Subject Alternative Name (SAN) Certificate

Ref: SAN Certificates: Subject Alternative Name – Multi-Domain (SAN) - https://www.digicert.com/subject-alternative-name.htm

Create private key:
openssl genrsa -des3 -out domain.key 2048

Verify key:
openssl rsa -check -in domain.key

Generate Single Domain CSR:
openssl req -key domain.key -new -out domain.csr

C=US # (Country 2 letters)
ST=Utah # (State)
L=Some City # (Location)
O=Some Organization # (Organization Name)
OU=Some Organization Unit # (Organizational Unit Name)
CN = domain.com # (Common Name - domain name for CSR)
emailAddress=your@email.com # (your email)

Generate CSR with Multiple Domains: (see req.ssl below)
openssl req -key domain.key -new -config req.ssl -out domain.csr

req.ssl: (ref [https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one])
<pre>
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=Utah
L=Some City
O=Some Organization
OU=Some Organization Unit
emailAddress=your@email.com
CN = domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names]
DNS.1 = some.domain.com
DNS.2 = other.domain.com
</pre>

Verify CSR:
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

Be prepared, all CA (Certificate Authority) will request a TXT DNS record or a web page drop to verify domain.

==Generate Custom Self Signed Certificate==
{{Template:makecert.sh}}

== Entire Trust Chain PEM ==

# The Private Key - your_domain_name.key
# The Primary Certificate - your_domain_name.crt
# The Intermediate Certificate - DigiCertCA.crt
# The Root Certificate - TrustedRoot.crt

Ref https://www.digicert.com/ssl-support/pem-ssl-creation.htm

---

The order does matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

<pre>
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
under the assumption that the remote end must already possess it
in order to validate it in any case.
</pre>

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

<pre>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</pre>

ref: https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem

== Linux CA Certs ==

<pre>
# curl -v https://ssl.oeey.com:443
...
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
</pre>

Add .crt to /etc/ssl/certs and then run *update-ca-certificates* to rebuild the cert cache.

Ref: https://access.redhat.com/solutions/1549003

== Show Cert Chain ==

openssl s_client -showcerts -connect www.example.com:443 </dev/null

openssl s_client -servername www.example.com -connect www.example.com:443

$ echo | \
openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
openssl x509 -text

openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der

Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

==Commands==
*[http://mark.foster.cc/kb/openssl-usage-tips.html OpenSSL Usage tips]
*[http://www.openssl.org/docs/apps/rsa.html OpenSSL RSA]

=== Generate Certificate ===

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

=== One Step Self Signed ===

One step self signed passwordless certificate generation: [http://superuser.com/questions/226192/openssl-without-prompt]
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key -out www.example.com.cert

=== Private Key ===

Generate private key file with file encryption:

openssl genrsa -des3 -out $DOMAIN.key 1024

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Generate private key file without file encryption:

openssl genrsa -out $DOMAIN.key 1024

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1A2D111B7CC038F7
...
-----END RSA PRIVATE KEY-----

List private key details (primes and other such nonsense):

# Also indicates if key is encrypted (or you can generally look at the text)
openssl rsa -in $DOMAIN.key -text

=== Certificate Request ===

Questions:
* Enter PEM pass phrase
* Country Name (2 letter code) [AU]
* State or Province Name (full name) [Some-State]
* Locality Name (eg, city) []
* Organization Name (eg, company) [Internet Widgits Pty Ltd]
* Organizational Unit Name (eg, section) []
* Common Name (eg, YOUR name) []
* Email Address []
* extra - A challenge password []
* extra - An optional company name []

Cert Request - also generate key:
openssl req -new -keyout $DOMAIN.key -out $DOMAIN.csr

Cert Request - use existing key:
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

List Certificate Request Details:
openssl req -in $DOMAIN.csr -text

<pre>
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Utah, L=Lindon, O=OEEY, OU=Lab, CN=cert.oeey.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
...
</pre>

=== Certificate ===

View a certificate details:
openssl x509 -in filename.crt -noout -text

=== Other ===

Viewing the details of a certificate revocation list (CRL)
openssl crl -in filename -noout -text

View server's certificate chain
openssl s_client -connect ssl.oeey.com:443 -showcerts < /dev/null

To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem

To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout

To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem

=== PKCS7 ===

VMware signature check, copy and paste out of binary VIB

Signature details
openssl pkcs7 -in [SIGFILE] -print_certs -noout
openssl pkcs7 -in [SIGFILE] -print_certs -noout -text

== Conversion ==

'''OpenSSL Convert PEM'''

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

'''OpenSSL Convert DER'''

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

'''OpenSSL Convert P7B'''

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

'''OpenSSL Convert PFX'''

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes'''

If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates but it is possible to [https://www.sslshopper.com/article-move-your-java-keytool-ssl-certificate-to-openssl.html convert a Java Keystore to PEM format].

Source: SSL Converter - Convert SSL Certificates to different formats - https://www.sslshopper.com/ssl-converter.html

==Check SSL Certificate==
OpenSSL Usage tips [http://mark.foster.cc/kb/openssl-usage-tips.html]

View a certificates' details
openssl x509 -in filename.crt -noout -text

Viewing the details of a certificate revocation list (CRL)
openssl crl -in filename -noout -text

==Remove Password from Private Key==
OpenSSL RSA - [http://www.openssl.org/docs/apps/rsa.html]

To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem

Change private key password:
openssl rsa -in $DOMAIN.key.pem -des3 -out $DOMAIN.key.pem.new

To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout

To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem

== Test SSL Connection ==

To check the SSL connection:
openssl s_client -connect 10.0.0.223:465

To test for SSL2 access:
openssl s_client -ssl2 -connect 10.0.0.223:465

To test for SSL3 access:
openssl s_client -ssl3 -connect 10.0.0.223:465

To test for TLS1 access:
openssl s_client -tls1 -connect 10.0.0.223:465

==Encrypting data with openssl==
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
echo 'too many secrets' > file.txt
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl
openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt
cat decrypted.txt

Reference: [http://www.devco.net/archives/2006/02/13/public_private_key_encryption_using_openssl.php Private key encryption using OpenSSL]

== Build OpenSSL from Source ==

OpenSSL - http://www.openssl.org/

openssl-0.9.8b.tar.gz is the version used with VMware Workbench 1.0

<pre>
# not sure what dependencies are needed...
yum -y install gcc make

mkdir -p ~/.ssh ; cd ~/.ssh
wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz
tar -zvxf openssl-0.9.8b.tar.gz
cd openssl-0.9.8b

./config --prefix=/opt/openssl
make && make test && make install
</pre>

== Create Certificate Authority ==

Create the Root Key:
openssl genrsa -out rootCA.key 2048

Alternative Create Password protected Root Key: (optional)
openssl genrsa -out rootCA.key 2048 -des3

Self-Sign This Certificate:
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.crt

Also output certificate to DER format (for IE): (optional)
openssl x509 -in rootCA.crt -out rootCA.der.crt -outform DER

Verify:
openssl x509 -noout -text -in rootCA.crt

<pre>
X509v3 Basic Constraints:
CA:TRUE
</pre>

Install Root Certificate Into Browsers:
* IE and Chrome use the default certificate management
** Go to IE, Internet Options, go to the Content tab, then hit the Certificates button. In Chrome going to Options and Under The Hood, and Manage certificates. They both take you to the same place, the Windows certificate repository. You’ll want to install the root CA certificate (not the key) under the Trusted Root Certificate Authorities tab.
* Firefox has its own certificate repository

References:
* Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) | The Data Center Overlords - http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
* How do I create my own Certificate Authority (CA) | workaround.org - https://workaround.org/certificate-authority

---

Sign new server

Create server key:
openssl genrsa -out device.key 2048

Create certificate signing request:
openssl req -new -key device.key -out device.csr

WARNING: common-name must match the host's domain name. Single level wild card is also valid.
*.oeey.com

Sign certificate with our CA:
openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500

Also output certificate to DER format (for IE): (optional)
openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache
cat device.key device.crt > device.pem

---

Sign a multi domain name server: (allow *.oeey.com and oeey.com - silly firefox)

device.cnf:
<pre>
[ req ]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName=US
stateOrProvinceName = Utah
localityName = Salt Lake City
organizationalUnitName = oeey
organizationName = oeey
commonName = oeey

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = oeey.com
DNS.2 = *.oeey.com
</pre>

If you want by IP too, add the following to alt_names:
IP.1 = 10.10.10.1

Create server key:
openssl genrsa -out device.key 2048

Create certificate signing request:
openssl req -new -key device.key -out device.csr -config device.cnf

Verify csr: (optional)
openssl req -text -noout -in device.csr

<pre>
X509v3 Subject Alternative Name:
DNS:oeey.com, DNS:*.oeey.com
</pre>

Sign certificate with our CA:
openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -extensions v3_req -extfile device.cnf

Also output certificate to DER format (for IE): (optional)
openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache
cat device.key device.crt > device.pem

Rename 'device':
ls device* | awk {'print "mv " $1 " " $1'} | sed 's/device/oeey.com/2' | sh

References:
* Creating an SSL Certificate with Multiple Hostnames - http://apetec.com/support/GenerateSAN-CSR.htm

---

Apache - to configure Apache to set the mime type for the certificates, add:
AddType application/x-x509-ca-cert .der .pem .crt

== Let's Encrypt Free SSL Certificates ==

Let's Encrypt - Free SSL/TLS Certificates

Let’s Encrypt is a free, automated, and open Certificate Authority.

https://letsencrypt.org/

See [[letsencrypt.org]]

== Get SSL Website Expiration Details from Command Line ==

Get expiration details and full detials [https://serverfault.com/questions/661978/displaying-a-remote-ssl-certificate-details-using-cli-tools]
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

Get basic ssl details: [https://nickjanetakis.com/blog/using-curl-to-check-an-ssl-certificate-expiration-date-and-details]
curl https://example.com -vI

== See Also ==

* [[SSL Certificates]]
* [[openssl]]
* [[keytool]]
* [[Java Keystore]]

== keywords ==

openssl ssl certificate keystore

[[Category:Linux]]