OpenSSL
Summary
Multi Domain Certificate Request
Multi-Domain Subject Alternative Name (SAN) Certificate
Ref: SAN Certificates: Subject Alternative Name – Multi-Domain (SAN) - https://www.digicert.com/subject-alternative-name.htm
Create private key:
openssl genrsa -des3 -out domain.key 2048
Verify key:
openssl rsa -check -in domain.key
Generate Single Domain CSR:
openssl req -key domain.key -new -out domain.csr
C=US # (Country 2 letters) ST=Utah # (State) L=Some City # (Location) O=Some Organization # (Organization Name) OU=Some Organization Unit # (Organizational Unit Name) CN = domain.com # (Common Name - domain name for CSR) emailAddress=your@email.com # (your email)
Generate CSR with Multiple Domains: (see req.ssl below)
openssl req -key domain.key -new -config req.ssl -out domain.csr
req.ssl: (ref [1])
[req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=Utah L=Some City O=Some Organization OU=Some Organization Unit emailAddress=your@email.com CN = domain.com [ req_ext ] subjectAltName = @alt_names [ alt_names] DNS.1 = some.domain.com DNS.2 = other.domain.com
Verify CSR:
https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
Be prepared, all CA (Certificate Authority) will request a TXT DNS record or a web page drop to verify domain.
Generate Custom Self Signed Certificate
Linux script to generate custom self signed certificate
makecert.sh:
#!/bin/sh # ./makecert.sh <domain> if [ "$1" = "" ] ; then echo "Error: Usage: $0 <domain> \"[cert-domain]\"" exit 1 fi DOMAIN=$1 if [ "$2" != "" ] ; then CERTDOMAIN=$2 else CERTDOMAIN=$1 fi echo "Creating SSL cert for $DOMAIN ($CERTDOMAIN)" mkdir $1 cd $1 # openssl req -config ../openssl.cnf -new -out $DOMAIN.csr # openssl req -new -out $DOMAIN.csr openssl req -new -out $DOMAIN.csr -passout pass:test <<EOF US Utah Salt Lake City $DOMAIN $DOMAIN $CERTDOMAIN EOF # openssl rsa -in privkey.pem -out $DOMAIN.key openssl rsa -in privkey.pem -out $DOMAIN.key -passin pass:test openssl x509 -in $DOMAIN.csr -out $DOMAIN.cert -req -signkey $DOMAIN.key -days 1825 # 5 years openssl x509 -in $DOMAIN.cert -out $DOMAIN.der.crt -outform DER # optional cat $DOMAIN.key $DOMAIN.cert > $DOMAIN.pem # FYI, pem for chain would be 'key, cert, chain > pem'
See openssl.cnf
Entire Trust Chain PEM
Entire CERT chain in one: (PREFERRED) [1]
- The Primary Certificate - your_domain_name.crt
- The Intermediate Certificate - DigiCertCA.crt
- The Root Certificate - TrustedRoot.crt
Entire PEM in one, including private key: (you don't usually include the private key)
- The Private Key - your_domain_name.key
- The Primary Certificate - your_domain_name.crt
- The Intermediate Certificate - DigiCertCA.crt
- The Root Certificate - TrustedRoot.crt
---
Note put comments # outside of the ---begin cert--- and ---end cert--- Example:
# CN = example.com ----BEGIN CERTIFICATE----- xxx ----END CERTIFICATE----- # C = US, ST = DE, L = Wilmington, O = Corporation Service Company, CN = Trusted Secure Certificate Authority DV ----BEGIN CERTIFICATE----- xxx ----END CERTIFICATE----- # C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority ----BEGIN CERTIFICATE----- xxx ----END CERTIFICATE----- # C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services ----BEGIN CERTIFICATE----- xxx ----END CERTIFICATE-----
---
The order *does* matter, according to RFC 4346.
Here is a quote directly taken from the RFC:
certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
Based on this information, the server certificate should come first, followed by any intermediate certs, and finally, the root trusted authority certificate (if self-signed). I could not find any information on the private key, but I think that should not matter because a private key in pem is easy to identify as it starts and ends with the text below, which has the keyword PRIVATE in it.
-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
ref: https://serverfault.com/questions/476576/how-to-combine-various-certificates-into-single-pem
Linux CA Certs
# curl -v https://ssl.oeey.com:443 ... * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs
Add .crt to /etc/ssl/certs and then run *update-ca-certificates* to rebuild the cert cache.
Ref: https://access.redhat.com/solutions/1549003
Show Cert Chain
openssl s_client -connect www.example.com:443
openssl s_client -showcerts -connect www.example.com:443 </dev/null
openssl s_client -servername www.example.com -connect www.example.com:443
$ echo | \ openssl s_client -servername www.example.com -connect www.example.com:443 2>/dev/null | \ openssl x509 -text
openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -outform DER > derp.der
Ref: linux - Using openssl to get the certificate from a server - Stack Overflow - https://stackoverflow.com/questions/7885785/using-openssl-to-get-the-certificate-from-a-server
Commands
Generate Certificate
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
One Step Self Signed
One step self signed passwordless certificate generation: [2]
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -keyout www.example.com.key -out www.example.com.cert
Private Key
Generate private key file with file encryption:
openssl genrsa -des3 -out $DOMAIN.key 1024
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Generate private key file without file encryption:
openssl genrsa -out $DOMAIN.key 1024
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1A2D111B7CC038F7 ... -----END RSA PRIVATE KEY-----
List private key details (primes and other such nonsense):
# Also indicates if key is encrypted (or you can generally look at the text) openssl rsa -in $DOMAIN.key -text
Certificate Request
Questions:
- Enter PEM pass phrase
- Country Name (2 letter code) [AU]
- State or Province Name (full name) [Some-State]
- Locality Name (eg, city) []
- Organization Name (eg, company) [Internet Widgits Pty Ltd]
- Organizational Unit Name (eg, section) []
- Common Name (eg, YOUR name) []
- Email Address []
- extra - A challenge password []
- extra - An optional company name []
Cert Request - also generate key:
openssl req -new -keyout $DOMAIN.key -out $DOMAIN.csr
Cert Request - use existing key:
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr
List Certificate Request Details:
openssl req -in $DOMAIN.csr -text
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=Utah, L=Lindon, O=OEEY, OU=Lab, CN=cert.oeey.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) ...
Certificate
View a certificate details:
openssl x509 -in filename.crt -noout -text
Other
Viewing the details of a certificate revocation list (CRL)
openssl crl -in filename -noout -text
View server's certificate chain
openssl s_client -connect ssl.oeey.com:443 -showcerts < /dev/null
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout
To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
PKCS7
VMware signature check, copy and paste out of binary VIB
Signature details
openssl pkcs7 -in [SIGFILE] -print_certs -noout openssl pkcs7 -in [SIGFILE] -print_certs -noout -text
Conversion
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
OpenSSL Convert DER
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
OpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
OpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
If you need to convert a Java Keystore file to a different format, it usually easier to create a new private key and certificates but it is possible to convert a Java Keystore to PEM format.
Source: SSL Converter - Convert SSL Certificates to different formats - https://www.sslshopper.com/ssl-converter.html
Check SSL Certificate
OpenSSL Usage tips [3]
View a certificates' details
openssl x509 -noout -text -in filename.crt
Viewing the details of a certificate revocation list (CRL)
openssl crl -noout -text -in filename
Remove Password from Private Key
OpenSSL RSA - [4]
To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem
Change private key password:
openssl rsa -in $DOMAIN.key.pem -des3 -out $DOMAIN.key.pem.new
To encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem
To convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der
To print out the components of a private key to standard output:
openssl rsa -in key.pem -text -noout
To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
Test SSL Connection
To check the SSL connection:
openssl s_client -connect 10.0.0.223:465
To test for SSL2 access:
openssl s_client -ssl2 -connect 10.0.0.223:465
To test for SSL3 access:
openssl s_client -ssl3 -connect 10.0.0.223:465
To test for TLS1 access:
openssl s_client -tls1 -connect 10.0.0.223:465
Encrypting data with openssl
openssl genrsa -out private.pem 1024 openssl rsa -in private.pem -out public.pem -outform PEM -pubout echo 'too many secrets' > file.txt openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt cat decrypted.txt
Reference: Private key encryption using OpenSSL
Build OpenSSL from Source
OpenSSL - http://www.openssl.org/
openssl-0.9.8b.tar.gz is the version used with VMware Workbench 1.0
# not sure what dependencies are needed... yum -y install gcc make mkdir -p ~/.ssh ; cd ~/.ssh wget http://www.openssl.org/source/openssl-0.9.8b.tar.gz tar -zvxf openssl-0.9.8b.tar.gz cd openssl-0.9.8b ./config --prefix=/opt/openssl make && make test && make install
Create Certificate Authority
Create the Root Key:
openssl genrsa -out rootCA.key 2048
Alternative Create Password protected Root Key: (optional)
openssl genrsa -out rootCA.key 2048 -des3
Self-Sign This Certificate:
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.crt
Also output certificate to DER format (for IE): (optional)
openssl x509 -in rootCA.crt -out rootCA.der.crt -outform DER
Verify:
openssl x509 -noout -text -in rootCA.crt
X509v3 Basic Constraints: CA:TRUE
Install Root Certificate Into Browsers:
- IE and Chrome use the default certificate management
- Go to IE, Internet Options, go to the Content tab, then hit the Certificates button. In Chrome going to Options and Under The Hood, and Manage certificates. They both take you to the same place, the Windows certificate repository. You’ll want to install the root CA certificate (not the key) under the Trusted Root Certificate Authorities tab.
- Firefox has its own certificate repository
References:
- Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs) | The Data Center Overlords - http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
- How do I create my own Certificate Authority (CA) | workaround.org - https://workaround.org/certificate-authority
---
Sign new server
Create server key:
openssl genrsa -out device.key 2048
Create certificate signing request:
openssl req -new -key device.key -out device.csr
WARNING: common-name must match the host's domain name. Single level wild card is also valid.
*.oeey.com
Sign certificate with our CA:
openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500
Also output certificate to DER format (for IE): (optional)
openssl x509 -in device.crt -out device.der.crt -outform DER
Create combined pem for apache
cat device.key device.crt > device.pem
---
Sign a multi domain name server: (allow *.oeey.com and oeey.com - silly firefox)
device.cnf:
[ req ] prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName=US stateOrProvinceName = Utah localityName = Salt Lake City organizationalUnitName = oeey organizationName = oeey commonName = oeey [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = oeey.com DNS.2 = *.oeey.com
If you want by IP too, add the following to alt_names:
IP.1 = 10.10.10.1
Create server key:
openssl genrsa -out device.key 2048
Create certificate signing request:
openssl req -new -key device.key -out device.csr -config device.cnf
Verify csr: (optional)
openssl req -text -noout -in device.csr
X509v3 Subject Alternative Name: DNS:oeey.com, DNS:*.oeey.com
Sign certificate with our CA:
openssl x509 -req -in device.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -extensions v3_req -extfile device.cnf
Also output certificate to DER format (for IE): (optional)
openssl x509 -in device.crt -out device.der.crt -outform DER
Create combined pem for apache
cat device.key device.crt > device.pem
Rename 'device':
ls device* | awk {'print "mv " $1 " " $1'} | sed 's/device/oeey.com/2' | sh
References:
- Creating an SSL Certificate with Multiple Hostnames - http://apetec.com/support/GenerateSAN-CSR.htm
---
Apache - to configure Apache to set the mime type for the certificates, add:
AddType application/x-x509-ca-cert .der .pem .crt
Let's Encrypt Free SSL Certificates
Let's Encrypt - Free SSL/TLS Certificates
Let’s Encrypt is a free, automated, and open Certificate Authority.
https://letsencrypt.org/
See letsencrypt.org
Get SSL Website Expiration Details from Command Line
Get expiration details and full detials [5]
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
Get basic ssl details: [6]
curl https://example.com -vI
See Also
keywords
openssl ssl certificate keystore