Certificates
If a certificate is received by mail, it can be garbled and contain for example ^M
openssl x509 -noout -modulus -in <certificatename>.crt | openssl md5;openssl rsa -noout -modulus -in <keyname>.key | openssl md5
unable to load X509 request
140628706629520:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e
(stdin)= 8a524b63924ec80aa177c2f760288edd
Open the certificate with vi
Execute:
:set fileformat=unix
And save with :wq
Create new key and new csr
openssl req -out /etc/httpd/conf/ssl.key/blaataap.csr -new -newkey rsa:2048 -nodes -keyout /etc/httpd/conf/ssl.key/blaataap.key
Create CSR based on existing key
openssl req -sha256 -new -key /etc/httpd/conf/ssl.key/blaataap.key -out /etc/httpd/conf/ssl.key/blaataap.csr
CN =blaataap.com
C=NL
ST=Zuid-Holland
L=Den Haag
O=Blaataap
OU=Blaataap IT
Show CSR
openssl req -noout -modulus -text -in blaataap.csr
Show CRT
openssl x509 -in blaataap.crt -text -noout
Match csr with key
openssl req -noout -modulus -in blaataap.csr | openssl md5;openssl rsa -noout -modulus -in blaataap.key | openssl md5
Match crt with key
openssl x509 -noout -modulus -in blaataap.crt | openssl md5;openssl rsa -noout -modulus -in /etc/httpd/conf/ssl.key/blaataap.key | openssl md5
Match crt with CA
openssl verify -CAfile ca_blaataap.crt blaataap.crt
Check chain
openssl x509 -noout -issuer -subject -issuer -in blaataap.pem
openssl x509 -noout -issuer -subject -issuer -in KPN_PKIoverheid_Server_CA_2020.pem
openssl x509 -noout -issuer -subject -issuer -in DomeinServerCA2020.pem
openssl x509 -noout -issuer -subject -issuer -in StaatderNederlandenEVRootCA.pem
Create CA chain
cat blaataap.com.crt QuoVadis_EV_SSL_ICA G1.crt QuoVadis_Root_CA_2.crt >> blaataap.com_CA.crt
Check enddate certificate
openssl x509 -noout -enddate -in /etc/httpd/conf/ssl.crt/blaataap.pem
curl --insecure -v https://technotes.adelerhof.eu 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=*.adelerhof.eu
* start date: Nov 11 20:17:05 2019 GMT
* expire date: Feb 09 20:17:05 2020 GMT
* common name: *.adelerhof.eu
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* Connection #0 to host technotes.adelerhof.eu left intact
Check issuer certificate
openssl x509 -noout -subject -issuer -in /etc/httpd/conf/ssl.crt/blaataap.pem
Export the private key file from the pfx file
openssl pkcs12 -in blaataap.pfx -nocerts -out key.pem
Export the certificate file from the pfx file
openssl pkcs12 -in blaataap.pfx -clcerts -nokeys -out blaataap.pem
Remove the passphrase from the private key
openssl rsa -in blaataap.pem -out blaataap.key
Check for expiration
openssl x509 -enddate -noout -in file.pem # prints something like 'notAfter=Nov 3 22:23:50 2014 GMT'
openssl x509 -checkend 86400 -noout -in file.pem # gives exitcode 0 if not expired
Testing SSL webserver
openssl s_client -connect example.com:443
# With advanced TLS and OSCP debugging:
openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out blaataap.pfx -inkey blaataap.pem -in blaataap.pem
OpenSSL Version and Certificates directory:
openssl version -a
Rehash OpenSSL certificates
c_rehash <directory>
Verifying certificates
Certificate: openssl x509 -noout -modulus -in server.crt | openssl md5
Private Key: openssl rsa -noout -modulus -in server.key | openssl md5
CSR: openssl req -noout -modulus -in server.csr | openssl md5
Stripping password from private keys
openssl rsa -in key-with-pwd.pem -out key-without-pwd.pem
https://www.sslshopper.com/article-most-common-openssl-commands.html