Difference between revisions of "Openssl"

From Notes_Wiki
m
m
Line 150: Line 150:




=Validate certificate chain=
Ideally certificate is signed by CA or by an intermediatory.  In chain file we should have our certificate, then intermediary and then finally root CA.
To validate certificate chain with only CA and certificate use:
<pre>
openssl verify -CAfile <ca.pem> <cert.pem>
</pre>
To validate certificate chain with CA, intermediate and certificate use:
<pre>
openssl verify -CAfile <ca.pem> -untrusted <intermediate.cert.pem>  <cert.pem>
</pre>
If the entire chain is in a single pem file then validate using:
<pre>
openssl crl2pkcs7 -nocrl -certfile <chain.pem> | openssl pkcs7 -print_certs -noout
</pre>
The above should output first server certificate details, then intermediary (if present) and finally root issuer certificate.
Refer:
* https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce






<yambe:breadcrumb self="Openssl">Security tools|Security tools</yambe:breadcrumb>
<yambe:breadcrumb self="Openssl">Security tools|Security tools</yambe:breadcrumb>

Revision as of 21:19, 17 June 2021

<yambe:breadcrumb self="Openssl">Security tools|Security tools</yambe:breadcrumb>

openssl

Creating self-signed pem certificates for HTTPS

We can create self-signed pem ceritifcates using openssl for HTTPS, SMTPS, etc. using:

openssl req -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

The life of certificate is set to 9999 so that it never expires.

The above command leads to various prompts. If prompts are not desired use format:

openssl req -new -newkey rsa:2048 -days 9999 -nodes -x509 -subj '/C=IN/ST=Telangana/L=Hyderabad/O=Rekall Software/CN=myserver.example.com' -keyout mycert.pem  -out mycert.pem

For information on getting certificates signed by CA use Getting certificates signed by recognized CA


Creating certificate request with OpenSSL

To create certificate request with OpenSSL we can use:

openssl genrsa -des3 -out client1.key 2048
openssl req -new -key client1.key -days 365 -out client1.csr

Remember the password supplied while generating key, as that password would be asked whenever we try to generate a new request with the key. Challenge password asked at the end when we create a new certificate request can be left blank.


Checking whether a given certificate and key pair match

To check whether a given key and certificate pair match one can use:

openssl rsa -noout -modulus -in <key-file> | openssl md5
openssl x509 -noout -modulus -in <certificate-file> | openssl md5

If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not.


Download server certificate directly from server

To download SSL/TLS certificate from any server use:

  openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line

In case of a normal port with STARTTLS use something similar to:

   openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts

Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.


Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file


Converting certificates from one format to another

We can use openssl to convert from one certificate type to another. There are following types of certificates:

PEM Format (.PEM, .CRT, .CER, .KEY)
Used in Linux has --BEGIN CERTIFICATE--, ---END CERTIFICATE--- and is in ASCII format
DER Format (.DER, .CER)
Similar to PEM certificate but in binary format
PKCS#7 or P7B Format (.P7B, .P7C)
Base 64 or ASCII format
PKCS#12 or PFX Format (.PFX, .P12)
Stores CA, intermediate, certificate and key in one binary encrypted format. Used often on Windows to export and import certificates.


Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der


Convert PEM to P7B

 openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer


Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem


Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer


Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer


Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes


Refer:


Viewing certificates

View PEM encoded certificate

To view encoded certificate use:

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get following error:

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

then that indicates that you are trying to open DER encoded certificate.


View DER encoded certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get following error:

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

then that indicates that you are trying to open PEM encoded certificate.


Validate certificate chain

Ideally certificate is signed by CA or by an intermediatory. In chain file we should have our certificate, then intermediary and then finally root CA.

To validate certificate chain with only CA and certificate use:

openssl verify -CAfile <ca.pem> <cert.pem>

To validate certificate chain with CA, intermediate and certificate use:

openssl verify -CAfile <ca.pem> -untrusted <intermediate.cert.pem>  <cert.pem>

If the entire chain is in a single pem file then validate using:

openssl crl2pkcs7 -nocrl -certfile <chain.pem> | openssl pkcs7 -print_certs -noout

The above should output first server certificate details, then intermediary (if present) and finally root issuer certificate.

Refer:


<yambe:breadcrumb self="Openssl">Security tools|Security tools</yambe:breadcrumb>