Openssl: Difference between revisions
(Created page with "Some usefull Openssl commands * openssl pkcs12 -inkey privatekey.pem -in publiccert.pem -export -out output.pfx") (change visibility) |
No edit summary (change visibility) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Some usefull Openssl commands | Some usefull Openssl commands | ||
{| class="wikitable" | |||
|- | |||
! Comment !! Command | |||
|- | |||
| Convert pem (base64 certfiles) to pfx || openssl pkcs12 -inkey privatekey.pem -in publiccert.pem -export -out output.pfx | |||
|- | |||
| remove passphrase from private key file || openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem | |||
|- | |||
| convert private key to aes192 encrypted private key || openssl rsa -in file.key -out aes192.key -aes192 | |||
|- | |||
| match public and private key || | |||
openssl x509 -in cert.crt -text -noout -modulus | |||
openssl rsa -in file.key -check -modulus | |||
manually match moduli | |||
|- | |||
| read and verify private key || openssl rsa -in file.key -text -check | |||
|} | |||
= View = | |||
== View PEM encoded certificate == | |||
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate | |||
<syntaxhighlight lang="console"> | |||
openssl x509 -in cert.pem -text -noout | |||
openssl x509 -in cert.cer -text -noout | |||
openssl x509 -in cert.crt -text -noout | |||
</syntaxhighlight> | |||
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below” | |||
<syntaxhighlight lang="console"> | |||
unable to load certificate | |||
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE | |||
</syntaxhighlight> | |||
== View DER encoded Certificate == | |||
<syntaxhighlight lang="console"> | |||
openssl x509 -in certificate.der -inform der -text -noout | |||
</syntaxhighlight> | |||
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above | |||
<syntaxhighlight lang="console"> | |||
unable to load certificate | |||
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: | |||
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509 | |||
</syntaxhighlight> | |||
openssl.cnf: http://web.mit.edu/crypto/openssl.cnf | |||
= Transform = | |||
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion) | |||
== PEM to DER == | |||
<syntaxhighlight lang="console"> | |||
openssl x509 -in cert.crt -outform der -out cert.der | |||
</syntaxhighlight> | |||
== DER to PEM == | |||
<syntaxhighlight lang="console"> | |||
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem | |||
</syntaxhighlight> | |||
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them | |||
https://www.sslshopper.com/ssl-converter.html | |||
= create = | |||
<syntaxhighlight lang="console"> | |||
#create directories | |||
sudo mkdir /etc/ssl/private | |||
sudo chmod 700 /etc/ssl/private | |||
#generate selfsigned root | |||
sudo openssl req -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -key /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt | |||
#new DH group | |||
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |||
</syntaxhighlight> | |||
* to create a full 2-tier pki using openssl: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html | |||
* another private pki via: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#openssl-private-ca |
Revision as of 15:29, 23 July 2018
Some usefull Openssl commands
Comment | Command |
---|---|
Convert pem (base64 certfiles) to pfx | openssl pkcs12 -inkey privatekey.pem -in publiccert.pem -export -out output.pfx |
remove passphrase from private key file | openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem |
convert private key to aes192 encrypted private key | openssl rsa -in file.key -out aes192.key -aes192 |
match public and private key |
openssl x509 -in cert.crt -text -noout -modulus openssl rsa -in file.key -check -modulus manually match moduli |
read and verify private key | openssl rsa -in file.key -text -check |
View
View PEM encoded certificate
Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
View DER encoded Certificate
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
openssl.cnf: http://web.mit.edu/crypto/openssl.cnf
Transform
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)
PEM to DER
openssl x509 -in cert.crt -outform der -out cert.der
DER to PEM
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them https://www.sslshopper.com/ssl-converter.html
create
#create directories
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
#generate selfsigned root
sudo openssl req -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -key /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
#new DH group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- to create a full 2-tier pki using openssl: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
- another private pki via: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#openssl-private-ca