OpenSSL
This commit is contained in:
53
OpenSSL.md
53
OpenSSL.md
@@ -4,56 +4,77 @@ For my SSL keys and certificates I always use:
|
||||
* `.crt` for the certificates,
|
||||
* `.key` for the keys and
|
||||
* `.csr` for the CSRs
|
||||
While technically not correct I think this is more verbose.
|
||||
|
||||
While technically not correct, I think this is more verbose.
|
||||
|
||||
## General commands
|
||||
|
||||
* Generate a new private key and Certificate Signing Request
|
||||
### Generate a new private key
|
||||
|
||||
The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024.
|
||||
`-outform PEM` controls the form of the key. Values are `PEM` and `DER`.
|
||||
|
||||
```
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out key.key
|
||||
```
|
||||
|
||||
### Generate a new private key and Certificate Signing Request
|
||||
|
||||
```
|
||||
openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key
|
||||
```
|
||||
|
||||
* Generate a certificate signing request (CSR) for an existing private key
|
||||
### Generate a certificate signing request (CSR) for an existing private key
|
||||
|
||||
```
|
||||
openssl req -out signing_request.csr -key private_key.key -new
|
||||
```
|
||||
|
||||
* Generate a certificate signing request based on an existing certificate
|
||||
### Generate a certificate signing request based on an existing certificate
|
||||
|
||||
```
|
||||
openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key
|
||||
```
|
||||
|
||||
* Remove a passphrase from a private key
|
||||
### Encrypt a Private Key
|
||||
|
||||
```
|
||||
openssl rsa -in old_private_key.key -out new_private_key.key
|
||||
openssl rsa -des3 -in unencrypted.key -out encrypted.key
|
||||
```
|
||||
|
||||
### Decrypt a Private Key
|
||||
|
||||
```
|
||||
openssl rsa -in encrypted.key -out decrypted.key
|
||||
```
|
||||
|
||||
## Checking commands
|
||||
|
||||
|
||||
* Check a Certificate Signing Request (CSR)
|
||||
### Check a Certificate Signing Request (CSR)
|
||||
|
||||
```
|
||||
openssl req -text -noout -verify -in signing_request.csr
|
||||
```
|
||||
|
||||
* Check a private key
|
||||
### Get information about a private key
|
||||
|
||||
```
|
||||
openssl rsa -in private_key.key -check
|
||||
openssl rsa -text -noout -in private_key.key
|
||||
```
|
||||
|
||||
* Check a certificate
|
||||
### Check a private key
|
||||
|
||||
```
|
||||
openssl rsa -check -in private_key.key
|
||||
```
|
||||
|
||||
### Check a certificate
|
||||
|
||||
```
|
||||
openssl x509 -in certificate.crt -text -noout
|
||||
```
|
||||
|
||||
* Check a PKCS#12 file (.pfx or .p12)
|
||||
### Check a PKCS#12 file (.pfx or .p12)
|
||||
|
||||
```
|
||||
openssl pkcs12 -info -in keystore.p12
|
||||
@@ -61,7 +82,7 @@ openssl pkcs12 -info -in keystore.p12
|
||||
|
||||
## Debugging commands
|
||||
|
||||
* Compare md5 hashes of certificate, key and CSR
|
||||
### Compare md5 hashes of certificate, key and CSR
|
||||
|
||||
```
|
||||
openssl x509 -noout -modulus -in certificate.crt | openssl md5
|
||||
@@ -69,8 +90,10 @@ openssl rsa -noout -modulus -in privateKey.key | openssl md5
|
||||
openssl req -noout -modulus -in CSR.csr | openssl md5
|
||||
```
|
||||
|
||||
* Check an SSL connection. All the certificates (including Intermediates) should be displayed
|
||||
### Check an SSL connection.
|
||||
|
||||
All certificates (including intermediates) should be displayed.
|
||||
|
||||
```
|
||||
openssl s_client -connect www.paypal.com:443
|
||||
openssl s_client -connect schlapa.eutea.forkmissile.de:443
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user