Openunix.eu

OpenSSL

Common commands

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -text -noout -in server.crt

Check the SSL key and verify the consistency:

openssl rsa -in server.key -check

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in server.csr

Verify a certificate and key matches

openssl rsa -noout -modulus -in server.key| openssl md5
openssl x509 -noout -modulus -in server.crt| openssl md5

From https://support.asperasoft.com/hc/en-us/articles/216128468-OpenSSL-commands-to-check-and-verify-your-SSL-certificate-key-and-CSR

Show a remote certificate

openssl s_client -showcerts -connect imap.example.com:993
openssl s_client -showcerts -connect webmail.example.com:443

OpenSSL Post Signum certificate

• Generate key and request using a conf
  

  # CONFIG FILE postsignum.conf
  # Konnfiguracni soubor pro generovani klicu a zadosti pro certifikacni
  # autoritu PostSignum 
  # vice informaci viz. http://qca.postsignum.cz 
  [ req ] 
  default_bits = 2048
  default_keyfile = private.key 
  distinguished_name = req_distinguished_name    
  req_extensions = v3_req     
  string_mask = default
  [ req_distinguished_name ] 
  countryName = Nazev statu ("CZ") 
  countryName_default = CZ   
  countryName_min = 2
  countryName_max = 2
  localityName = Adresa (mesto ulice cislo)         
  organizationName = Jmeno organizace a IC
  0.organizationalUnitName= Organizacni jednotka   
  0.organizationalUnitName= Organizacni jednotka
  commonName = Jmeno certifikatu (jmeno a prijmeni pro fyzickou osobu)
  commonName_max = 64     
  emailAddress = E-mailova adresa 
  commonName_max = 64   
  emailAddress = E-mailova adresa     
  emailAddress_max = 64     
  [ v3_req ] 
  # Extensions to add to a certificate request      
  # basicConstraints = CA:FALSE         
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
  subjectAltName = email:move         
  

  - The generation script
  

  # postsignum.sh 
  echo "generuji klic..." 
  echo ""
  openssl genrsa -des3 -out private.key 2048 
  echo " klic hotov, jdu na zadost ..."       
  sleep 1  
  openssl req -new -newhdr -days 365 -asn1-kludge -outform PEM -key private.key -out cert.req -config postsignum.conf
  echo "zadost se nyni jmenuje cert.req" 
  

  - Checking it before sending:

  openssl req -in cert.req -noout -text
  

• After receiving the certificate - called "newcert.crt":
  

  openssl x509 -inform DER -outform PEM -in newcert.crt -out newcert.pem
  

  Generating p12 for thunderbird:

  openssl pkcs12 -export -name "PostSignum" -in newcert.pem -inkey newcert.key -certfile postsignum_qca2_root.pem -out newcert.p12
  

• HOME
~~~~~~~~~~~~~~~
• OpenBSD
• Networking
• Installing software
• Session managent
• Desktop env
• Multimedia
• Printing
• Sharing
• NetBSD
• Desktop
• Xen
• FreeBSD
• Linux
• Debian
• Centos
• OpenSuse
• Solaris
• Packages
• Zones
• ZFS
• Services
• Windows
~~~~~~~~~~~~~~~
• Git
• Ansible
• Atlassian
• Network tools
• Qemu
• Virtualbox
• Vim
• Tmux
• Mutt
• Mutt-settings
• Mutt-accounts
• Mutt-html,pdf,doc
• Mutt-address book
• Mutt-signature
• STar
~~~~~~~~~~~~~~~
• MySQL
• PostgreSQL
• Postfix
• OpenSSL
• tcpdump
• SSH
~~~~~~~~~~~~~~~
• Packet Filter
• IP Filter
• IPFilter
• IPNAT
• Commands
~~~~~~~~~~~~~~~
• Bash
• Hack
• If
• Loop
• Math
• Test
• Awk
• Array
• web-dev
• html
• php
• css
• Hacking
• LINUX DAYS

Powered by NetBSD. Running on a toaster.