Difference between revisions of "Openssl"

From Notes_Wiki
m
m
Line 47: Line 47:
</pre>
</pre>
The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line
The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line
In case of a normal port with STARTTLS use something similar to:
<pre>
  openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts
</pre>
Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.


Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file
Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file

Revision as of 06:06, 28 August 2015

<yambe:breadcrumb>Security tools</yambe:breadcrumb>

openssl

Creating self-signed pem certificates for HTTPS

We can create self-signed pem ceritifcates using openssl for HTTPS, SMTPS, etc. using:

openssl req -x509 -nodes -days 9999 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

The life of certificate is set to 9999 so that it never expires.

For information on getting certificates signed by CA use Getting certificates signed by recognized CA


Creating certificate request with OpenSSL

To create certificate request with OpenSSL we can use:

openssl genrsa -des3 -out client1.key 2048
openssl req -new -key client1.key -days 365 -out client1.csr

Remember the password supplied while generating key, as that password would be asked whenever we try to generate a new request with the key. Challenge password asked at the end when we create a new certificate request can be left blank.


Checking whether a given certificate and key pair match

To check whether a given key and certificate pair match one can use:

openssl rsa -noout -modulus -in <key-file> | openssl md5
openssl x509 -noout -modulus -in <certificate-file> | openssl md5

If both the commands result into exactly same output then the certificate and key pair match, otherwise there is a problem. Note that as per http://stackoverflow.com/questions/4658484/ssl-install-problem-key-value-mismatch-but-they-do-match just matching of modulus is not enough. Not sure if it is really so or not.


Converting certificates from one format to another

A very useful article on checking certificate type and on converting them is available at https://support.ssl.com/index.php?/Knowledgebase/Article/View/19 The article highlights difference between DER, CRT, CER and PEM certificate types.


Download server certificate directly from server

To download SSL/TLS certificate from any server use:

  openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

The certificate would be between BEGIN_CERTIFICATE and END_CERTIFICATE line

In case of a normal port with STARTTLS use something similar to:

   openssl s_client -starttls smtp -connect {HOSTNAME}:{PORT} -showcerts

Apart from smtp we can use imap, pop3, ftp or xmpp at the time of this writing.


Learned from http://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file



<yambe:breadcrumb>Security tools</yambe:breadcrumb>