Technotes for future me


If a certificate is received by mail, it can be garbled and contain for example ^M

openssl x509 -noout -modulus -in <certificatename>.crt | openssl md5;openssl rsa -noout -modulus -in <keyname>.key | openssl md5

unable to load X509 request
140628706629520:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE REQUEST
(stdin)= d41d8cd98f00b204e9800998ecf8427e
(stdin)= 8a524b63924ec80aa177c2f760288edd

Open the certificate with vi


:set fileformat=unix

And save with :wq

Create new key and new csr

openssl req -out /etc/httpd/conf/ssl.key/blaataap.csr -new -newkey rsa:2048 -nodes -keyout /etc/httpd/conf/ssl.key/blaataap.key

Create CSR based on existing key

openssl req -sha256 -new -key /etc/httpd/conf/ssl.key/blaataap.key -out /etc/httpd/conf/ssl.key/blaataap.csr

L=Den Haag
OU=Blaataap IT

Show CSR

openssl req -noout -modulus -text -in blaataap.csr

Show CRT

openssl x509 -in blaataap.crt -text -noout

Match csr with key

openssl req -noout -modulus -in  blaataap.csr | openssl md5;openssl rsa -noout -modulus -in blaataap.key | openssl md5

Match crt with key

openssl x509 -noout -modulus -in  blaataap.crt | openssl md5;openssl rsa -noout -modulus -in /etc/httpd/conf/ssl.key/blaataap.key | openssl md5

Match crt with CA

openssl verify -CAfile ca_blaataap.crt blaataap.crt

Check chain

openssl x509 -noout -issuer -subject -issuer -in blaataap.pem

openssl x509 -noout -issuer -subject -issuer -in KPN_PKIoverheid_Server_CA_2020.pem

openssl x509 -noout -issuer -subject -issuer -in DomeinServerCA2020.pem

openssl x509 -noout -issuer -subject -issuer -in StaatderNederlandenEVRootCA.pem

Create CA chain

cat  QuoVadis_EV_SSL_ICA G1.crt  QuoVadis_Root_CA_2.crt >> blaataap.com_CA.crt

Check enddate certificate

openssl x509 -noout -enddate -in /etc/httpd/conf/ssl.crt/blaataap.pem

curl --insecure -v 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=*
*       start date: Nov 11 20:17:05 2019 GMT
*       expire date: Feb 09 20:17:05 2020 GMT
*       common name: *
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* Connection #0 to host left intact

Check issuer certificate

openssl x509 -noout -subject -issuer -in /etc/httpd/conf/ssl.crt/blaataap.pem

Export the private key file from the pfx file

openssl pkcs12 -in blaataap.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in blaataap.pfx -clcerts -nokeys -out blaataap.pem

Remove the passphrase from the private key

openssl rsa -in blaataap.pem -out blaataap.key

Check for expiration

        openssl x509 -enddate -noout -in file.pem            # prints something like 'notAfter=Nov  3 22:23:50 2014 GMT'
        openssl x509 -checkend 86400 -noout -in file.pem     # gives exitcode 0 if not expired

Testing SSL webserver

        openssl s_client -connect

        # With advanced TLS and OSCP debugging:
        openssl s_client -connect -tls1 -tlsextdebug -status

OpenSSL Version and Certificates directory:

        openssl version -a

Rehash OpenSSL certificates

        c_rehash <directory>

Verifying certificates

        Certificate: openssl x509 -noout -modulus -in server.crt | openssl md5
        Private Key: openssl rsa -noout -modulus -in server.key | openssl md5
        CSR: openssl req -noout -modulus -in server.csr | openssl md5

Stripping password from private keys

        openssl rsa -in key-with-pwd.pem -out key-without-pwd.pem

Last updated on 9 Sep 2021
Published on 11 Dec 2019
Edit on GitHub