OpenSSL
From Debuntu
Work in Progress
This page is a work in progress and might contain errors or inconsistency. Comment are most appreciated.
This page is a work in progress and might contain errors or inconsistency. Comment are most appreciated.
OpenSSL provides SSL utilities for Linux/Unices. It is mainly used to create certificates but also can be used to analyse and test them.
Contents |
openssl commands
Generate a self-signed certificate
$ openssl req \ -x509 -nodes -days 365 \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem Generating a 1024 bit RSA private key ..........++++++ .++++++ writing new private key to 'mycert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Certificate Co Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:example.com Email Address []:email@example.com
the resulting certificate will be:
-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQCx7hdXdl1DumG+q+37j9MDVSbbi1FMcR3yPKjL12Jk+V+jg2cD UXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEfbf6vfxQ6dFdbeWH5AD7lK+74 4s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9WyfwmU/D+B/2445K+lQIDAQAB AoGATLHdG9UoZF49bau8XBflk+UrZ6zIsVN83gJpm9vOTMn1AI1OZO7DJKNgCbMN JnkAZ73ySwn+Rj2FnloR+jg0JilhSn4twMxAg5Jjxz6blTn22HjZ2AsxQ1SybKAv l/jgYImxELH0e/zQl88gFiEq+UjqXrXuL/m19EXFm18I6W0CQQDs4O55wU5RLcmX OHCqjDrYOdwR1WyXgLvCGbt8iIDjNGyrMoa4XiI2IJ8GT8ihw23izMi2EwFMSY1G 7ZfIGUlzAkEAwEr+eRTRLgiEP7JrAiNTjUo0Mh76LtGuN6u3C5+u5RxRfX9CeqoY moHB/V9jMy+YqFgezvvp2FvVh2/oOgn11wJBAK31bgzqYlqJlq9AWrVU8G4U58IN C4ejmb+s6BxHnue8e0WqgHdrYhKAGGkpNH1fqRZTL99Oy7g7l84L9FiWAXMCQQC5 qK7B4SOGOprVlUJUMh99j2ON8PLFOZXoElcNVgPbGdhkPvbE0G4o35eZNvvkc9QE 1fAJEJjbWO91cMrbHrrJAkEAg72bBjVGZBwuLdH/s2QYfFlu4tbhtd3GwOfKvKau cUX3hu8Q7iHnm8Tlyu3o/nnfYUy5k6zU36zfm42owwxYAQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDVTCCAr6gAwIBAgIJAPkWIaPpL3C1MA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMR8wHQYDVQQKExZFeGFtcGxlIENl cnRpZmljYXRlIENvMRQwEgYDVQQDEwtleGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ ARYRZW1haWxAZXhhbXBsZS5jb20wHhcNMDkwMTE5MjAwNzA2WhcNMTAwMTE5MjAw NzA2WjB7MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UE ChMWRXhhbXBsZSBDZXJ0aWZpY2F0ZSBDbzEUMBIGA1UEAxMLZXhhbXBsZS5jb20x IDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCx7hdXdl1DumG+q+37j9MDVSbbi1FMcR3yPKjL12Jk+V+j g2cDUXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEfbf6vfxQ6dFdbeWH5AD7l K+744s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9WyfwmU/D+B/2445K+lQID AQABo4HgMIHdMB0GA1UdDgQWBBQjsAg2E2/SYrvwr2myjQvvxBZWOjCBrQYDVR0j BIGlMIGigBQjsAg2E2/SYrvwr2myjQvvxBZWOqF/pH0wezELMAkGA1UEBhMCQVUx EzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNVBAoTFkV4YW1wbGUgQ2VydGlmaWNh dGUgQ28xFDASBgNVBAMTC2V4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFlbWFp bEBleGFtcGxlLmNvbYIJAPkWIaPpL3C1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN AQEFBQADgYEAfAvRq43TdphZG3Gksu55MoB3JVhHxPiMuUuHLRByoVssqP+5pWI9 mpmoeSSgmRjyjvfrLReFBFiDACaAApydmTUtcXgwHVFj8U89CPu0Zk5J2N3EM/3W OaJsNFGS1EFAUQq3wl6VwO+OklPSUUI9SgVnW5topIuI7nmCsViT/Hw= -----END CERTIFICATE-----
Containing both the private key and the certificate.
Verifying a certificate integrity
You can verify a certificate integrity by using the following command:
openssl s_server -cert mycert.pem -www
If the service start with no complains, then you have a correct certificate.
Retrieving certificate informations
Retrieve a remote certificate
openssl s_client -connect <remote_host>:<remote_port> 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Where you need to replace <remote_host> amd <remote_port>
Extract certificate from .pem file
The .pem file that you have on your server .pem also contains the private key, see #Generate_a_self-signed_certificate Running:
$ openssl x509 -in /path/to/mycert.pem
will extract the part of the certificate that can be given to the users.
Extract specific information from certificate
The previous example only gave us the certificate, but one can get the individual information, or all of them, in a human readable format.
reference: man 1 x509 section OPTIONS > DISPLAY OPTIONS .
Removing the -noout from the following example will also dump the certificate as in #Extract_certificate_from_.pem_file So, here are some examples:
Extracting the issuer
$ openssl x509 -noout -issuer -in mycert.pem issuer= /C=AU/ST=Some-State/O=Example Certificate Co/CN=example.com/emailAddress=email@example.com
Extracting start and end date
This example also show how to extract multiple informations at the same time, here -startdate and -enddate:
$ openssl x509 -noout -startdate -enddate -in mycert.pem notBefore=Jan 19 20:07:06 2009 GMT notAfter=Jan 19 20:07:06 2010 GMT
Extracting the email
$ openssl x509 -noout -email -in mycert.pem email@example.com
Extracting the public key
$ openssl x509 -noout -pubkey -in mycert.pem -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx7hdXdl1DumG+q+37j9MDVSbb i1FMcR3yPKjL12Jk+V+jg2cDUXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEf bf6vfxQ6dFdbeWH5AD7lK+744s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9W yfwmU/D+B/2445K+lQIDAQAB -----END PUBLIC KEY-----
Extracting all information in text form
$ openssl x509 -noout -text -in mycert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f9:16:21:a3:e9:2f:70:b5
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Example Certificate Co, CN=example.com/emailAddress=email@example.com
Validity
Not Before: Jan 19 20:07:06 2009 GMT
Not After : Jan 19 20:07:06 2010 GMT
Subject: C=AU, ST=Some-State, O=Example Certificate Co, CN=example.com/emailAddress=email@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b1:ee:17:57:76:5d:43:ba:61:be:ab:ed:fb:8f:
d3:03:55:26:db:8b:51:4c:71:1d:f2:3c:a8:cb:d7:
62:64:f9:5f:a3:83:67:03:51:76:1f:08:ad:c0:64:
8b:64:38:93:1a:ff:eb:33:b3:ec:d3:8c:38:1c:c7:
68:bc:39:95:c3:8a:91:1f:6d:fe:af:7f:14:3a:74:
57:5b:79:61:f9:00:3e:e5:2b:ee:f8:e2:ce:b2:da:
a3:e2:38:85:0e:e6:57:84:1d:a2:89:a3:04:26:b5:
61:58:3f:a5:f9:ae:fd:08:ce:df:56:c9:fc:26:53:
f0:fe:07:fd:b8:e3:92:be:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
23:B0:08:36:13:6F:D2:62:BB:F0:AF:69:B2:8D:0B:EF:C4:16:56:3A
X509v3 Authority Key Identifier:
keyid:23:B0:08:36:13:6F:D2:62:BB:F0:AF:69:B2:8D:0B:EF:C4:16:56:3A
DirName:/C=AU/ST=Some-State/O=Example Certificate Co/CN=example.com/emailAddress=email@example.com
serial:F9:16:21:A3:E9:2F:70:B5
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
7c:0b:d1:ab:8d:d3:76:98:59:1b:71:a4:b2:ee:79:32:80:77:
25:58:47:c4:f8:8c:b9:4b:87:2d:10:72:a1:5b:2c:a8:ff:b9:
a5:62:3d:9a:99:a8:79:24:a0:99:18:f2:8e:f7:eb:2d:17:85:
04:58:83:00:26:80:02:9c:9d:99:35:2d:71:78:30:1d:51:63:
f1:4f:3d:08:fb:b4:66:4e:49:d8:dd:c4:33:fd:d6:39:a2:6c:
34:51:92:d4:41:40:51:0a:b7:c2:5e:95:c0:ef:8e:92:53:d2:
51:42:3d:4a:05:67:5b:9b:68:a4:8b:88:ee:79:82:b1:58:93:
fc:7c
Certificate Revocation List (CRL)
Create a CRL
openssl ca -gencrl -out crl.pem -config openssl.cnf
Display a CRL
openssl crl -text -noout -in crl.pem
Revoke certificate
openssl ca -revoke client.crt -config openssl.cnf
and regenerate the crl.pem
openssl ca -gencrl -out crl.pem -config openssl.cnf
Finally confirm the certificate is revoked:
$ cat carl.pem ca.crt > revoke-test.pem $ openssl verify -CAfile revoke-test.pem -crl_check client.crt client.crt: /C=XX/ST=XX/O=XXXX/CN=XXXXXXX/emailAddress=XXX@XXXX error 23 at 0 depth lookup:certificate revoked
