OpenSSL

From Debuntu

Jump to: navigation, search
WorkInProgress.png
Work in Progress
This page is a work in progress and might contain errors or inconsistency. Comment are most appreciated.

OpenSSL provides SSL utilities for Linux/Unices. It is mainly used to create certificates but also can be used to analyse and test them.

Contents

openssl commands

Generate a self-signed certificate

$ openssl req \
  -x509 -nodes -days 365 \
  -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
Generating a 1024 bit RSA private key
..........++++++
.++++++
writing new private key to 'mycert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Certificate Co
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:example.com
Email Address []:email@example.com

the resulting certificate will be:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCx7hdXdl1DumG+q+37j9MDVSbbi1FMcR3yPKjL12Jk+V+jg2cD
UXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEfbf6vfxQ6dFdbeWH5AD7lK+74
4s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9WyfwmU/D+B/2445K+lQIDAQAB
AoGATLHdG9UoZF49bau8XBflk+UrZ6zIsVN83gJpm9vOTMn1AI1OZO7DJKNgCbMN
JnkAZ73ySwn+Rj2FnloR+jg0JilhSn4twMxAg5Jjxz6blTn22HjZ2AsxQ1SybKAv
l/jgYImxELH0e/zQl88gFiEq+UjqXrXuL/m19EXFm18I6W0CQQDs4O55wU5RLcmX
OHCqjDrYOdwR1WyXgLvCGbt8iIDjNGyrMoa4XiI2IJ8GT8ihw23izMi2EwFMSY1G
7ZfIGUlzAkEAwEr+eRTRLgiEP7JrAiNTjUo0Mh76LtGuN6u3C5+u5RxRfX9CeqoY
moHB/V9jMy+YqFgezvvp2FvVh2/oOgn11wJBAK31bgzqYlqJlq9AWrVU8G4U58IN
C4ejmb+s6BxHnue8e0WqgHdrYhKAGGkpNH1fqRZTL99Oy7g7l84L9FiWAXMCQQC5
qK7B4SOGOprVlUJUMh99j2ON8PLFOZXoElcNVgPbGdhkPvbE0G4o35eZNvvkc9QE
1fAJEJjbWO91cMrbHrrJAkEAg72bBjVGZBwuLdH/s2QYfFlu4tbhtd3GwOfKvKau
cUX3hu8Q7iHnm8Tlyu3o/nnfYUy5k6zU36zfm42owwxYAQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVTCCAr6gAwIBAgIJAPkWIaPpL3C1MA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMR8wHQYDVQQKExZFeGFtcGxlIENl
cnRpZmljYXRlIENvMRQwEgYDVQQDEwtleGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ
ARYRZW1haWxAZXhhbXBsZS5jb20wHhcNMDkwMTE5MjAwNzA2WhcNMTAwMTE5MjAw
NzA2WjB7MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UE
ChMWRXhhbXBsZSBDZXJ0aWZpY2F0ZSBDbzEUMBIGA1UEAxMLZXhhbXBsZS5jb20x
IDAeBgkqhkiG9w0BCQEWEWVtYWlsQGV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCx7hdXdl1DumG+q+37j9MDVSbbi1FMcR3yPKjL12Jk+V+j
g2cDUXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEfbf6vfxQ6dFdbeWH5AD7l
K+744s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9WyfwmU/D+B/2445K+lQID
AQABo4HgMIHdMB0GA1UdDgQWBBQjsAg2E2/SYrvwr2myjQvvxBZWOjCBrQYDVR0j
BIGlMIGigBQjsAg2E2/SYrvwr2myjQvvxBZWOqF/pH0wezELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNVBAoTFkV4YW1wbGUgQ2VydGlmaWNh
dGUgQ28xFDASBgNVBAMTC2V4YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFlbWFp
bEBleGFtcGxlLmNvbYIJAPkWIaPpL3C1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAfAvRq43TdphZG3Gksu55MoB3JVhHxPiMuUuHLRByoVssqP+5pWI9
mpmoeSSgmRjyjvfrLReFBFiDACaAApydmTUtcXgwHVFj8U89CPu0Zk5J2N3EM/3W
OaJsNFGS1EFAUQq3wl6VwO+OklPSUUI9SgVnW5topIuI7nmCsViT/Hw=
-----END CERTIFICATE-----

Containing both the private key and the certificate.

Verifying a certificate integrity

You can verify a certificate integrity by using the following command:

openssl s_server -cert mycert.pem -www

If the service start with no complains, then you have a correct certificate.

Retrieving certificate informations

Retrieve a remote certificate

openssl s_client -connect <remote_host>:<remote_port> 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Where you need to replace <remote_host> amd <remote_port>

Extract certificate from .pem file

The .pem file that you have on your server .pem also contains the private key, see #Generate_a_self-signed_certificate Running:

$ openssl x509 -in /path/to/mycert.pem

will extract the part of the certificate that can be given to the users.

Extract specific information from certificate

The previous example only gave us the certificate, but one can get the individual information, or all of them, in a human readable format.

reference: man 1 x509 section OPTIONS > DISPLAY OPTIONS .

Removing the -noout from the following example will also dump the certificate as in #Extract_certificate_from_.pem_file So, here are some examples:

Extracting the issuer

$ openssl x509 -noout -issuer -in mycert.pem
issuer= /C=AU/ST=Some-State/O=Example Certificate Co/CN=example.com/emailAddress=email@example.com

Extracting start and end date

This example also show how to extract multiple informations at the same time, here -startdate and -enddate:

$ openssl x509 -noout -startdate -enddate -in mycert.pem
notBefore=Jan 19 20:07:06 2009 GMT
notAfter=Jan 19 20:07:06 2010 GMT

Extracting the email

$ openssl x509 -noout -email -in mycert.pem
email@example.com

Extracting the public key

$ openssl x509 -noout -pubkey -in mycert.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCx7hdXdl1DumG+q+37j9MDVSbb
i1FMcR3yPKjL12Jk+V+jg2cDUXYfCK3AZItkOJMa/+szs+zTjDgcx2i8OZXDipEf
bf6vfxQ6dFdbeWH5AD7lK+744s6y2qPiOIUO5leEHaKJowQmtWFYP6X5rv0Izt9W
yfwmU/D+B/2445K+lQIDAQAB
-----END PUBLIC KEY-----

Extracting all information in text form

$ openssl x509 -noout -text -in mycert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:16:21:a3:e9:2f:70:b5
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=Some-State, O=Example Certificate Co, CN=example.com/emailAddress=email@example.com
        Validity
            Not Before: Jan 19 20:07:06 2009 GMT
            Not After : Jan 19 20:07:06 2010 GMT
        Subject: C=AU, ST=Some-State, O=Example Certificate Co, CN=example.com/emailAddress=email@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b1:ee:17:57:76:5d:43:ba:61:be:ab:ed:fb:8f:
                    d3:03:55:26:db:8b:51:4c:71:1d:f2:3c:a8:cb:d7:
                    62:64:f9:5f:a3:83:67:03:51:76:1f:08:ad:c0:64:
                    8b:64:38:93:1a:ff:eb:33:b3:ec:d3:8c:38:1c:c7:
                    68:bc:39:95:c3:8a:91:1f:6d:fe:af:7f:14:3a:74:
                    57:5b:79:61:f9:00:3e:e5:2b:ee:f8:e2:ce:b2:da:
                    a3:e2:38:85:0e:e6:57:84:1d:a2:89:a3:04:26:b5:
                    61:58:3f:a5:f9:ae:fd:08:ce:df:56:c9:fc:26:53:
                    f0:fe:07:fd:b8:e3:92:be:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                23:B0:08:36:13:6F:D2:62:BB:F0:AF:69:B2:8D:0B:EF:C4:16:56:3A
            X509v3 Authority Key Identifier: 
                keyid:23:B0:08:36:13:6F:D2:62:BB:F0:AF:69:B2:8D:0B:EF:C4:16:56:3A
                DirName:/C=AU/ST=Some-State/O=Example Certificate Co/CN=example.com/emailAddress=email@example.com
                serial:F9:16:21:A3:E9:2F:70:B5

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        7c:0b:d1:ab:8d:d3:76:98:59:1b:71:a4:b2:ee:79:32:80:77:
        25:58:47:c4:f8:8c:b9:4b:87:2d:10:72:a1:5b:2c:a8:ff:b9:
        a5:62:3d:9a:99:a8:79:24:a0:99:18:f2:8e:f7:eb:2d:17:85:
        04:58:83:00:26:80:02:9c:9d:99:35:2d:71:78:30:1d:51:63:
        f1:4f:3d:08:fb:b4:66:4e:49:d8:dd:c4:33:fd:d6:39:a2:6c:
        34:51:92:d4:41:40:51:0a:b7:c2:5e:95:c0:ef:8e:92:53:d2:
        51:42:3d:4a:05:67:5b:9b:68:a4:8b:88:ee:79:82:b1:58:93:
        fc:7c

Certificate Revocation List (CRL)

Create a CRL

openssl ca -gencrl -out crl.pem -config openssl.cnf

Display a CRL

 openssl crl -text -noout -in crl.pem

Revoke certificate

openssl ca -revoke client.crt -config openssl.cnf

and regenerate the crl.pem

openssl ca -gencrl -out crl.pem -config openssl.cnf 

Finally confirm the certificate is revoked:

$ cat carl.pem ca.crt > revoke-test.pem
$ openssl verify -CAfile revoke-test.pem -crl_check client.crt
client.crt: /C=XX/ST=XX/O=XXXX/CN=XXXXXXX/emailAddress=XXX@XXXX
error 23 at 0 depth lookup:certificate revoked

References

http://www.madboa.com/geek/openssl/

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Google AdSense