Difference between revisions of "Openssl"
m |
m |
||
| Line 34: | Line 34: | ||
If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not. | If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not. | ||
| Line 58: | Line 53: | ||
=Converting certificates from one format to another= | |||
We can use openssl to convert from one certificate type to another. There are following types of certificates: | |||
;PEM Format (.PEM, .CRT, .CER, .KEY): Used in Linux has --BEGIN CERTIFICATE--, ---END CERTIFICATE--- and is in ASCII format | |||
;DER Format (.DER, .CER): Similar to PEM certificate but in binary format | |||
;PKCS#7 or P7B Format (.P7B, .P7C): Base 64 or ASCII format | |||
;PKCS#12 or PFX Format (.PFX, .P12): Stores CA, intermediate, certificate and key in one binary encrypted format. Used often on Windows to export and import certificates. | |||
==Convert PEM to DER== | |||
<pre> | |||
openssl x509 -outform der -in certificate.pem -out certificate.der | |||
</pre> | |||
==Convert PEM to P7B== | |||
<pre> | |||
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer | |||
</pre> | |||
==Convert PEM to PFX== | |||
<pre> | |||
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt | |||
</pre> | |||
Refer: | |||
* https://support.ssl.com/index.php?/Knowledgebase/Article/View/19 | |||
* https://www.sslshopper.com/ssl-converter.html | |||
<yambe:breadcrumb>Security tools</yambe:breadcrumb> | <yambe:breadcrumb>Security tools</yambe:breadcrumb> | ||
Revision as of 04:44, 6 November 2017
<yambe:breadcrumb>Security tools</yambe:breadcrumb>
openssl
Creating self-signed pem certificates for HTTPS
We can create self-signed pem ceritifcates using openssl for HTTPS, SMTPS, etc. using:
openssl req -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
The life of certificate is set to 9999 so that it never expires.
For information on getting certificates signed by CA use Getting certificates signed by recognized CA
Creating certificate request with OpenSSL
To create certificate request with OpenSSL we can use:
openssl genrsa -des3 -out client1.key 2048 openssl req -new -key client1.key -days 365 -out client1.csr
Remember the password supplied while generating key, as that password would be asked whenever we try to generate a new request with the key. Challenge password asked at the end when we create a new certificate request can be left blank.
Checking whether a given certificate and key pair match
To check whether a given key and certificate pair match one can use:
openssl rsa -noout -modulus -in <key-file> | openssl md5 openssl x509 -noout -modulus -in <certificate-file> | openssl md5
If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not.
Download server certificate directly from server
To download SSL/TLS certificate from any server use:
openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line
In case of a normal port with STARTTLS use something similar to:
openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts
Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.
Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file
Converting certificates from one format to another
We can use openssl to convert from one certificate type to another. There are following types of certificates:
- PEM Format (.PEM, .CRT, .CER, .KEY)
- Used in Linux has --BEGIN CERTIFICATE--, ---END CERTIFICATE--- and is in ASCII format
- DER Format (.DER, .CER)
- Similar to PEM certificate but in binary format
- PKCS#7 or P7B Format (.P7B, .P7C)
- Base 64 or ASCII format
- PKCS#12 or PFX Format (.PFX, .P12)
- Stores CA, intermediate, certificate and key in one binary encrypted format. Used often on Windows to export and import certificates.
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Refer:
- https://support.ssl.com/index.php?/Knowledgebase/Article/View/19
- https://www.sslshopper.com/ssl-converter.html
<yambe:breadcrumb>Security tools</yambe:breadcrumb>
