michael/Wiki
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
Files
6110e3d50c66928c8ecb443c85b01e5107e14623
Wiki/OpenSSL.md
Michael Schlapa 6110e3d50c Add SHA256
2024-03-15 13:13:50 +01:00

112 lines
2.6 KiB
Markdown
Raw Blame History

# OpenSSL
For my SSL keys and certificates I always use:
* `.crt` for the certificates,
* `.key` for the keys and
* `.csr` for the CSRs
While technically not correct, I think this is more verbose.
## General commands
### Generate a new private key
The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024.
`-outform PEM` controls the form of the key. Values are `PEM` and `DER`. If you want to encrypt the key add the following parameters: `-aes-128-cbc -pass pass:test123`. Instead of `-aes-128-cbc` you can use other ciphers (e.g. `-des3`). If you omit the `-pass` argument you will be asked for a password.
```
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out private_key.key
```
### Generate a new private key and certificate
```
openssl req -x509 -newkey rsa:4096 -keyout private_key.key -out certificate.crt -sha256 -days 365
```
### Generate a new private key and certificate signing request (CSR)
```
openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key -sha256
```
### Generate a certificate signing request (CSR) for an existing private key
```
openssl req -out signing_request.csr -key private_key.key -new -sha256
```
### Pass Subject and SubjectAlternativeName directly:
```
-subj "/C=DE/CN=example.tld" -addext "subjectAltName=DNS:example.tld,DNS:example2.tld,IP:127.0.0.1"
```
### Generate a certificate signing request based on an existing certificate
```
openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key
```
### Encrypt a (RSA) private key
```
openssl rsa -des3 -in unencrypted.key -out encrypted.key
```
### Decrypt a (RSA) private key
```
openssl rsa -in encrypted.key -out decrypted.key
```
## Checking commands
### Check a Certificate Signing Request (CSR)
```
openssl req -text -noout -verify -in signing_request.csr
```
### Get information about a private key
```
openssl rsa -text -noout -in private_key.key
```
### Check a private key
```
openssl rsa -check -in private_key.key
```
### Check a certificate
```
openssl x509 -text -noout -in certificate.crt
```
### Check a PKCS#12 file (.pfx or .p12)
```
openssl pkcs12 -info -in keystore.p12
```
## Debugging commands
### Compare md5 hashes of certificate, key and CSR
```
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private_key.key | openssl md5
openssl req -noout -modulus -in signing_request.csr | openssl md5
```
### Check an SSL connection.
All certificates (including intermediates) should be displayed.
```
openssl s_client -connect gitea.forkmissile.de:443
```
Reference in New Issue View Git Blame Copy Permalink