michael/Wiki
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

OpenSSL

Browse Source
This commit is contained in:
Michael Schlapa
2020-03-17 22:50:37 +01:00
parent 8172190fe3
commit 12d666baaf
1 changed files with 38 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
OpenSSL.md
View File

@@ -4,56 +4,77 @@ For my SSL keys and certificates I always use:
* `.crt` for the certificates, * `.crt` for the certificates,
* `.key` for the keys and * `.key` for the keys and
* `.csr` for the CSRs * `.csr` for the CSRs
While technically not correct I think this is more verbose.
While technically not correct, I think this is more verbose.
## General commands ## General commands
* Generate a new private key and Certificate Signing Request ### Generate a new private key
The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024.
`-outform PEM` controls the form of the key. Values are `PEM` and `DER`.
```
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out key.key
```
### Generate a new private key and Certificate Signing Request
``` ```
openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key
``` ```
* Generate a certificate signing request (CSR) for an existing private key ### Generate a certificate signing request (CSR) for an existing private key
``` ```
openssl req -out signing_request.csr -key private_key.key -new openssl req -out signing_request.csr -key private_key.key -new
``` ```
* Generate a certificate signing request based on an existing certificate ### Generate a certificate signing request based on an existing certificate
``` ```
openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key
``` ```
* Remove a passphrase from a private key ### Encrypt a Private Key
``` ```
openssl rsa -in old_private_key.key -out new_private_key.key openssl rsa -des3 -in unencrypted.key -out encrypted.key
```
### Decrypt a Private Key
```
openssl rsa -in encrypted.key -out decrypted.key
``` ```
## Checking commands ## Checking commands
### Check a Certificate Signing Request (CSR)
* Check a Certificate Signing Request (CSR)
``` ```
openssl req -text -noout -verify -in signing_request.csr openssl req -text -noout -verify -in signing_request.csr
``` ```
* Check a private key ### Get information about a private key
``` ```
openssl rsa -in private_key.key -check openssl rsa -text -noout -in private_key.key
``` ```
* Check a certificate ### Check a private key
```
openssl rsa -check -in private_key.key
```
### Check a certificate
``` ```
openssl x509 -in certificate.crt -text -noout openssl x509 -in certificate.crt -text -noout
``` ```
* Check a PKCS#12 file (.pfx or .p12) ### Check a PKCS#12 file (.pfx or .p12)
``` ```
openssl pkcs12 -info -in keystore.p12 openssl pkcs12 -info -in keystore.p12
@@ -61,7 +82,7 @@ openssl pkcs12 -info -in keystore.p12
## Debugging commands ## Debugging commands
* Compare md5 hashes of certificate, key and CSR ### Compare md5 hashes of certificate, key and CSR
``` ```
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl x509 -noout -modulus -in certificate.crt | openssl md5
@@ -69,8 +90,10 @@ openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
``` ```
* Check an SSL connection. All the certificates (including Intermediates) should be displayed ### Check an SSL connection.
All certificates (including intermediates) should be displayed.
``` ```
openssl s_client -connect www.paypal.com:443 openssl s_client -connect schlapa.eutea.forkmissile.de:443
``` ```