Hi,
here are some command line examples for openssl:
Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Add x509_v3 extensions from command line (>= V1.1.1)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -extension 'subjectAltName = DNS:myHost.myDOmain.org, DNS:myHost2.myDOmain.org' -extension 'certificatePolicies = 1.2.3.4.5'\
Get the certificate of a webserver
openssl s_client -connect michlstechblog.info:443
This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date
openssl s_client -connect michlstechblog.info:443| openssl x509 -text
Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text
Show details of a certificate file
openssl x509 -text -in server.crt -noout
Create pfx (pkcs12) file from key and certificate
openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt
Create pfx (pkcs12) file from key, certificate and the root CA(s), If necessary copy the root and the intermediate certificates in to one CACert.crt file.
openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt -certfile CACert.crt
Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key
And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt
Creating a self signed Certification Authority
To be continued….
See also this post. It describes how to setup a CA for OpenVPN from the scratch.
Generate a CA revokation list
openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem
Show details of certificate revocation list (crl)
openssl crl -in crl.pem -text
Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer
Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer
or copy CARootCertificate.cer and Intermediate.cer to one file
# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer
Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file
cat ca.pem intermediate.pem crl.pem > wholeChain.pem
and check
openssl verify -crl_check -CAfile wholeChain.pem myCert.pem
Create a signing request to renew an existing certificate
openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr
With some x509v3 extensions. File x509v3_extensions.ext
extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment
openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3
List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list
openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"
Michael