Tag Archives: openssl

OpenVPN: Built a certification authority from scratch with openssl


these are the steps to build your own CA (Certification Authority) and all requiered certificates for a OpenVPN instance (Client and Server) on Linux.

Define your environment. Always set these variables in the shell before executing openssl commands. Adjust it to your needs.
Continue reading OpenVPN: Built a certification authority from scratch with openssl

Advertisment to support michlstechblog.info

OpenSSL: Command line examples


here are some command line examples for openssl:

Generate a self signed certificate for a (apache) webserver with a 2048 Bit RSA encryption and valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Get the certificate of a webserver

openssl s_client -connect michlstechblog.info:443

This establish a connection to a webserver and displays the details for the certificate on a webserver, i.e the expiration date

openssl s_client -connect michlstechblog.info:443| openssl x509 -text

Same for a UDP port where DTLS is running
openssl s_client -host michlstechblog.info -port 8888 -dtls1| openssl x509 -text

Show details of a certificate file
openssl x509 -text -in server.crt -noout

Create pfx (pkcs12) file from key and certificate

openssl pkcs12 -export -out file.pfx -inkey host.domain.key -in host.domain.crt

Extract a key from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nocerts -out host.domain.key

And extract a cert(s) from a pkcs12 or pfx file
openssl pkcs12 -in file.pfx -nokeys -out host.domain.crt

Creating a self signed Certification Authority

To be continued….

See also this post. It describes how to setup a CA for OpenVPN from the scratch.

Generate a CA revokation list

openssl ca -gencrl -passin pass:${CA_PASSWORD} -out crl.pem

Show details of certificate revocation list (crl)

openssl crl -in crl.pem -text

Verify a certificate chain where yourCertificate is directly signed by the CA
openssl verify -CAfile CARootCertificate.cer yourCertificate.cer

Verify a certificate chain where yourCertificate is signed by a intermediate certificate
openssl verify -CAfile CARootCertificate.cer -untrusted Intermediate.cer yourCertificate.cer

or copy CARootCertificate.cer and Intermediate.cer to one file

# Windows
copy CARootCertificate.cer+Intermediate.cer fullChain.cer
# Linux/UNIX
cat CARootCertificate.cer Intermediate.cer > fullChain.cer
openssl verify -CAfile fullChain.cer yourCertificate.cer

Check a certificate against a crl
Copy the chain(root CA cert, intermediate cert) and the crl to a file

cat ca.pem intermediate.pem crl.pem > wholeChain.pem

and check

openssl verify -crl_check -CAfile wholeChain.pem myCert.pem

Create a signing request to renew an existing certificate

openssl x509 -x509toreq -in server.crt -signkey server.key -out server.csr

With some x509v3 extensions. File x509v3_extensions.ext

extensions = x509v3
[ x509v3 ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth,clientAuth
keyUsage = nonRepudiation,digitalSignature, keyEncipherment

openssl x509 -req -days 3650 -in CARootCertificate.cer -signkey CARoot.key \
-out ca_crt.pem -extfile x509v3_extensions.ext -extensions x509v3

List of valid ciphersuites from a given allowed SSL_CTX_set_cipher_list

openssl ciphers '!aNULL:ECDHE+AESGCM:ECDHE+AES' | tr ":" "\n"