michael/Wiki
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity
Files
8cd837fdd2d46103fcc59a0a42d347c7d0c042e8
Wiki/OpenSSL.md
Michael Schlapa 8cd837fdd2 OpenSSL
2020-03-17 23:00:06 +01:00

100 lines
2.3 KiB
Markdown
Raw Blame History

# OpenSSL
For my SSL keys and certificates I always use:
* `.crt` for the certificates,
* `.key` for the keys and
* `.csr` for the CSRs
While technically not correct, I think this is more verbose.
## General commands
### Generate a new private key
The `-pkeyopt rsa_keygen_bits:2048` determines the key length. The default value is 1024.
`-outform PEM` controls the form of the key. Values are `PEM` and `DER`. If you want to encrypt the key add the following parameters: `-aes-128-cbc -pass pass:test123`. Instead of `-aes-128-cbc` you can use other ciphers (e.g. `-des3`). If you omit the `-pass` argument you will be asked for a password.
```
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -outform PEM -out private_key.key
```
### Generate a new private key and Certificate Signing Request
```
openssl req -out signing_request.csr -new -newkey rsa:2048 -nodes -keyout private_key.key
```
### Generate a certificate signing request (CSR) for an existing private key
```
openssl req -out signing_request.csr -key private_key.key -new
```
### Generate a certificate signing request based on an existing certificate
```
openssl x509 -x509toreq -in certificate.crt -out signing_request.csr -signkey private_key.key
```
### Encrypt a Private Key
```
openssl rsa -des3 -in unencrypted.key -out encrypted.key
```
### Decrypt a Private Key
```
openssl rsa -in encrypted.key -out decrypted.key
```
## Checking commands
### Check a Certificate Signing Request (CSR)
```
openssl req -text -noout -verify -in signing_request.csr
```
### Get information about a private key
```
openssl rsa -text -noout -in private_key.key
```
### Check a private key
```
openssl rsa -check -in private_key.key
```
### Check a certificate
```
openssl x509 -text -noout -in certificate.crt
```
### Check a PKCS#12 file (.pfx or .p12)
```
openssl pkcs12 -info -in keystore.p12
```
## Debugging commands
### Compare md5 hashes of certificate, key and CSR
```
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private_key.key | openssl md5
openssl req -noout -modulus -in signing_request.csr | openssl md5
```
### Check an SSL connection.
All certificates (including intermediates) should be displayed.
```
openssl s_client -connect gitea.forkmissile.de:443
```
Reference in New Issue View Git Blame Copy Permalink