openssl
Certificate isntallation steps
- you need to generate a new key pair (private and public key),
- a new CSR from the public key,
- give the CSR to the CA of your choice,
- and install on the server the new certificate the CA will give to you.
Check certifitace uses SHA-1 (gives problem)
openssl x509 -text -noout -in somecert.pem | grep sha1
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
Detect TLS 1.3 support
openssl s_client -connect www.example.com:443 -tls1_3
Remove passprase from certificate key
openssl rsa -in [original.key] -out [new.key]
Display certificate content
openssl x509 -text -noout -in /usr/local/st/conf/https.crt
Dicplay certificate key content
openssl rsa -text -noout -in /usr/local/st/conf/https.key
Проверка https
$ openssl s_client -connect XXX.XX.XX.XXX:443
connection information will be displayed ...
GET / HTTP/1.1
Host: www.example.com
Convert PFX (PKCS#12) certificate to PEM including private key with no passphrase
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
Сonvert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out cert.pfx -inkey privateKey.key -in cert.crt -certfile CACert.crt
PFX to PEM: Extract X.509 certificate
openssl pkcs12 -in cert-with-public-and-private-keys.pfx -clcerts -nokeys -out cert.pem
PFX to PEM: Extract private key
openssl pkcs12 -in cert-with-public-and-private-keys.pfx -nocerts -out private-key.pem
Remove password from private key just exported
openssl rsa -in private-key.pem -out private.pem
OpenSSL Certificate and private key to PFX
openssl pkcs12 -export -in company-chain.crt -inkey company-private.key -out company-pfx.pfx
Note: do not use special characters as pfx password Note: For compatibility use one chain file of cert+intermediate+root
Certificate from PFX:
openssl pkcs12 -in company-pfx.pfx -nokeys -out company-crt.crt
Private key from PFX:
openssl pkcs12 -in company-pfx.pfx -nocerts -out company-private_withpass.key
openssl rsa -in company-private_withpass.key -out company-private.key
Intermediate certificate from PFX:
openssl pkcs12 -in company-pfx.pfx -cacerts -nokeys -out company-crt_inter.crt
Create private key
openssl genrsa -out company-private.key 2048
Create Certificate Signing Request (CSR) from private key
openssl req -new -key company-private.key -out company-csr.csr
Country: DK
State: Copenhagen
Locality: Copenhagen
Organization Name: company
Organizational Unit Name: IT
Common Name: *.company.com
Email Address: it@company.com
A challenge password:
An optional company name: .
Check CRT file info
openssl x509 -in company-crt.crt -noout -text
Check PFX file info
openssl pkcs12 -in company-pfx.pfx -noout -info
Create self-signed certificate
openssl req -x509 -nodes -newkey rsa:4096 -sha256 -keyout /etc/ssl/private/private-selfsigned.key -out /etc/ssl/certs/certificated-selfsigned.crt -days 36160 -subj -sha256 -subj "/C=RU/O=Company/OU=DevOps/CN=www.example.com" -addext "subjectAltName=DNS:example.com,DNS:www.example.com" -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"
Get certificate expiration date
openssl s_client -connect timereg.company.com:443 2>/dev/null | openssl x509 -text 2>/dev/null | grep 'Not After' | awk '{print $4,$5,$7}'
Get certificate dates and issuer
echo | openssl s_client -connect yandex.ru:443 2>/dev/null | openssl x509 -noout -dates -issuer
Get certificate from third party CA
- Generate SSL key for certificate and CSR for the certificate
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
- Provide CSR to clients
- Get certificate from clients
- Ensure modulus are the same
openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
- Get chain root certificates from respectful Certification Authority (Verisign, GoDaddy, Thawte, etc). Usually these can be obtained from CA in question.
- Install certificates to web-server