OpenSSL: Difference between revisions

Summary

Multi Domain Certificate Request

Multi-Domain Subject Alternative Name (SAN) Certificate

Ref: SAN Certificates: Subject Alternative Name – Multi-Domain (SAN) - https://www.digicert.com/subject-alternative-name.htm

Create private key:

openssl genrsa -des3 -out domain.key 2048

Verify key:

openssl rsa -check -in domain.key

Generate Single Domain CSR:

openssl req -key domain.key -new -out domain.csr

C=US  # (Country 2 letters)
ST=Utah  # (State)
L=Some City  # (Location)
O=Some Organization  # (Organization Name)
OU=Some Organization Unit  # (Organizational Unit Name)
CN = domain.com  # (Common Name - domain name for CSR)
emailAddress=your@email.com  # (your email)

Generate CSR with Multiple Domains: (see req.ssl below)

openssl req -key domain.key -new -config req.ssl -out domain.csr

req.ssl: (ref [1])

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=Utah
L=Some City
O=Some Organization
OU=Some Organization Unit
emailAddress=your@email.com
CN = domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names]
DNS.1 = some.domain.com
DNS.2 = other.domain.com

Verify CSR:

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

Be prepared, all CA (Certificate Authority) will request a TXT DNS record or a web page drop to verify domain.

Generate Custom Self Signed Certificate

Linux script to generate custom self signed certificate

makecert.sh:

#!/bin/sh

# ./makecert.sh <domain>
if [ "$1" = "" ] ; then
  echo "Error: Usage: $0 <domain> \"[cert-domain]\""
  exit 1
fi
DOMAIN=$1
if [ "$2" != "" ] ; then
  CERTDOMAIN=$2
else
  CERTDOMAIN=$1
fi
echo "Creating SSL cert for $DOMAIN ($CERTDOMAIN)"

mkdir $1
cd $1
# openssl req -config ../openssl.cnf -new -out $DOMAIN.csr
# openssl req -new -out $DOMAIN.csr
openssl req -new -out $DOMAIN.csr -passout pass:test <<EOF
US
Utah
Salt Lake City
$DOMAIN
$DOMAIN
$CERTDOMAIN



EOF
# openssl rsa -in privkey.pem -out $DOMAIN.key
openssl rsa -in privkey.pem -out $DOMAIN.key -passin pass:test
openssl x509 -in $DOMAIN.csr -out $DOMAIN.cert -req -signkey $DOMAIN.key -days 1825    # 5 years
openssl x509 -in $DOMAIN.cert -out $DOMAIN.der.crt -outform DER    # optional
cat $DOMAIN.key $DOMAIN.cert > $DOMAIN.pem
# FYI, pem for chain would be 'key, cert, chain > pem'

See openssl.cnf

Entire Trust Chain PEM

Entire CERT chain in one: (PREFERRED) ^[1]

1. The Primary Certificate - your_domain_name.crt
2. The Intermediate Certificate - DigiCertCA.crt
3. The Root Certificate - TrustedRoot.crt

Entire PEM in one, including private key: (you don't usually include the private key)

1. The Private Key - your_domain_name.key
2. The Primary Certificate - your_domain_name.crt
3. The Intermediate Certificate - DigiCertCA.crt
4. The Root Certificate - TrustedRoot.crt

---

Note put comments # outside of the ---begin cert--- and ---end cert--- Example:

# CN = example.com
----BEGIN CERTIFICATE-----
xxx
----END CERTIFICATE-----
# C = US, ST = DE, L = Wilmington, O = Corporation Service Company, CN = Trusted Secure Certificate Authority DV
----BEGIN CERTIFICATE-----
xxx
----END CERTIFICATE-----
# C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
----BEGIN CERTIFICATE-----
xxx
----END CERTIFICATE-----
# C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
----BEGIN CERTIFICATE-----
xxx
----END CERTIFICATE-----

---

The order *does* matter, according to RFC 4346.

Here is a quote directly taken from the RFC:

  certificate_list
    This is a sequence (chain) of X.509v3 certificates.  The sender's
    certificate must come first in the list.  Each following
    certificate must directly certify the one preceding it.  Because
    certificate validation requires that root keys be distributed
    independently, the self-signed certificate that specifies the root
    certificate authority may optionally be omitted from the chain,
    under the assumption that the remote end must already possess it
    in order to validate it in any case.

Based on this information, the server certificate should come first, followed by any intermediate certs, and finally, the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.

 -----BEGIN RSA PRIVATE KEY-----
 -----END RSA PRIVATE KEY-----

ref: https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem

Linux CA Certs

# curl -v https://ssl.oeey.com:443
...
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs

Add .crt to /etc/ssl/certs and then run *update-ca-certificates* to rebuild the cert cache.

Ref: https://access.redhat.com/solutions/1549003

Show Cert Chain

openssl s_client -connect www.example.com:443

openssl s_client -showcerts -connect www.example.com:443 </dev/null

openssl s_client -servername www.example.com -connect www.example.com:443

$ echo | \
   openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \
   openssl x509 -text

openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der

Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server

Commands

• OpenSSL Usage tips
• OpenSSL RSA

Generate Certificate

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

One Step Self Signed

One step self signed passwordless certificate generation: [2]

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key  -out www.example.com.cert

Private Key

Generate private key file with file encryption:

openssl genrsa -des3 -out $DOMAIN.key 1024

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Generate private key file without file encryption:

openssl genrsa -out $DOMAIN.key 1024

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1A2D111B7CC038F7
...
-----END RSA PRIVATE KEY-----

List private key details (primes and other such nonsense):

# Also indicates if key is encrypted (or you can generally look at the text)
openssl rsa -in $DOMAIN.key -text

Certificate Request

Questions:

• Enter PEM pass phrase
• Country Name (2 letter code) [AU]
• State or Province Name (full name) [Some-State]
• Locality Name (eg, city) []
• Organization Name (eg, company) [Internet Widgits Pty Ltd]
• Organizational Unit Name (eg, section) []
• Common Name (eg, YOUR name) []
• Email Address []
• extra - A challenge password []
• extra - An optional company name []

Cert Request - also generate key:

openssl req -new -keyout $DOMAIN.key -out $DOMAIN.csr

Cert Request - use existing key:

openssl req -new -key $DOMAIN.key -out $DOMAIN.csr

List Certificate Request Details:

openssl req -in $DOMAIN.csr -text

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Utah, L=Lindon, O=OEEY, OU=Lab, CN=cert.oeey.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
...

Certificate

View a certificate details:

openssl x509 -in filename.crt -noout -text

Other

Viewing the details of a certificate revocation list (CRL)

openssl crl -in filename -noout -text

View server's certificate chain

openssl s_client -connect ssl.oeey.com:443 -showcerts < /dev/null

To remove the pass phrase on an RSA private key:

openssl rsa -in key.pem -out keyout.pem

To encrypt a private key using triple DES:

openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:

openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:

openssl rsa -in key.pem -text -noout

To just output the public part of a private key:

openssl rsa -in key.pem -pubout -out pubkey.pem

PKCS7

VMware signature check, copy and paste out of binary VIB

Signature details

openssl pkcs7 -in [SIGFILE] -print_certs -noout
openssl pkcs7 -in [SIGFILE] -print_certs -noout -text

Conversion

OpenSSL Convert PEM

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

OpenSSL Convert DER

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

OpenSSL Convert P7B

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

OpenSSL Convert PFX

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates but it is possible to convert a Java Keystore to PEM format.

Source: SSL Converter - Convert SSL Certificates to different formats - https://www.sslshopper.com/ssl-converter.html

Check SSL Certificate

OpenSSL Usage tips [3]

View a certificates' details

openssl x509 -noout -text -in filename.crt

Viewing the details of a certificate revocation list (CRL)

openssl crl -noout -text -in filename

Remove Password from Private Key

OpenSSL RSA - [4]

To remove the pass phrase on an RSA private key:

openssl rsa -in key.pem -out keyout.pem

Change private key password:

openssl rsa -in $DOMAIN.key.pem -des3 -out $DOMAIN.key.pem.new

To encrypt a private key using triple DES:

openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:

openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:

openssl rsa -in key.pem -text -noout

To just output the public part of a private key:

openssl rsa -in key.pem -pubout -out pubkey.pem

Test SSL Connection

To check the SSL connection:

openssl s_client -connect 10.0.0.223:465

To test for SSL2 access:

openssl s_client -ssl2 -connect 10.0.0.223:465

To test for SSL3 access:

openssl s_client -ssl3 -connect 10.0.0.223:465

To test for TLS1 access:

openssl s_client -tls1 -connect 10.0.0.223:465

Encrypting data with openssl

openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -out public.pem -outform PEM -pubout
echo 'too many secrets' > file.txt
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl
openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt
cat decrypted.txt

Reference: Private key encryption using OpenSSL

Build OpenSSL from Source

OpenSSL - http://www.openssl.org/

openssl-0.9.8b.tar.gz is the version used with VMware Workbench 1.0

# not sure what dependencies are needed...
yum -y install gcc make

mkdir -p ~/.ssh ; cd ~/.ssh
wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz
tar -zvxf openssl-0.9.8b.tar.gz
cd openssl-0.9.8b

./config --prefix=/opt/openssl
make && make test && make install

Create Certificate Authority

Create the Root Key:

openssl genrsa -out rootCA.key 2048

Alternative Create Password protected Root Key: (optional)

openssl genrsa -out rootCA.key 2048 -des3

Self-Sign This Certificate:

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.crt

Also output certificate to DER format (for IE): (optional)

openssl x509 -in rootCA.crt -out rootCA.der.crt -outform DER

Verify:

openssl x509 -noout -text -in rootCA.crt

            X509v3 Basic Constraints:
                CA:TRUE

Install Root Certificate Into Browsers:

• IE and Chrome use the default certificate management
  • Go to IE, Internet Options, go to the Content tab, then hit the Certificates button. In Chrome going to Options and Under The Hood, and Manage certificates. They both take you to the same place, the Windows certificate repository. You’ll want to install the root CA certificate (not the key) under the Trusted Root Certificate Authorities tab.
• Firefox has its own certificate repository

References:

• Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) | The Data Center Overlords - http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
• How do I create my own Certificate Authority (CA) | workaround.org - https://workaround.org/certificate-authority

---

Sign new server

Create server key:

openssl genrsa -out device.key 2048

Create certificate signing request:

openssl req -new -key device.key -out device.csr

WARNING: common-name must match the host's domain name. Single level wild card is also valid.

*.oeey.com

Sign certificate with our CA:

openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500

Also output certificate to DER format (for IE): (optional)

openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache

cat device.key device.crt > device.pem

---

Sign a multi domain name server: (allow *.oeey.com and oeey.com - silly firefox)

device.cnf:

[ req ]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName=US
stateOrProvinceName = Utah
localityName = Salt Lake City
organizationalUnitName = oeey
organizationName = oeey
commonName = oeey

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = oeey.com
DNS.2 = *.oeey.com

If you want by IP too, add the following to alt_names:

IP.1 = 10.10.10.1

Create server key:

openssl genrsa -out device.key 2048

Create certificate signing request:

openssl req -new -key device.key -out device.csr -config device.cnf

Verify csr: (optional)

openssl req -text -noout -in device.csr

            X509v3 Subject Alternative Name:
                DNS:oeey.com, DNS:*.oeey.com

Sign certificate with our CA:

openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -extensions v3_req -extfile device.cnf

Also output certificate to DER format (for IE): (optional)

openssl x509 -in device.crt -out device.der.crt -outform DER

Create combined pem for apache

cat device.key device.crt > device.pem

Rename 'device':

ls device* | awk {'print "mv " $1 " " $1'} | sed 's/device/oeey.com/2' | sh

References:

• Creating an SSL Certificate with Multiple Hostnames - http://apetec.com/support/GenerateSAN-CSR.htm

---

Apache - to configure Apache to set the mime type for the certificates, add:

AddType application/x-x509-ca-cert .der .pem .crt

Let's Encrypt Free SSL Certificates

Let's Encrypt - Free SSL/TLS Certificates

Let’s Encrypt is a free, automated, and open Certificate Authority.

https://letsencrypt.org/

See letsencrypt.org

Get SSL Website Expiration Details from Command Line

Get expiration details and full detials [5]

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

Get basic ssl details: [6]

curl https://example.com -vI

See Also

• SSL Certificates
• openssl
• keytool
• Java Keystore

keywords

openssl ssl certificate keystore