Openssl: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
No edit summary   (change visibility)
(4 intermediate revisions by the same user not shown)
Line 22: Line 22:
|}
|}


= View =
== View PEM encoded certificate ==


Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate
<syntaxhighlight lang="console">
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
</syntaxhighlight>
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below”
<syntaxhighlight lang="console">
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
</syntaxhighlight>


== View DER encoded Certificate ==
<syntaxhighlight lang="console">
openssl x509 -in certificate.der -inform der -text -noout
</syntaxhighlight>
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
<syntaxhighlight lang="console">
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
</syntaxhighlight>
openssl.cnf: http://web.mit.edu/crypto/openssl.cnf
= Transform =
Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)
== PEM to DER ==
<syntaxhighlight lang="console">
openssl x509 -in cert.crt -outform der -out cert.der
</syntaxhighlight>
== DER to PEM ==
<syntaxhighlight lang="console">
openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
</syntaxhighlight>
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
https://www.sslshopper.com/ssl-converter.html
https://www.sslshopper.com/ssl-converter.html
= create =
<syntaxhighlight lang="console">
#create directories
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
#generate selfsigned root
sudo openssl req -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -key /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
#new DH group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
</syntaxhighlight>
* to create a full 2-tier pki using openssl: https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
* another private pki via: https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html#openssl-private-ca

Revision as of 15:29, 23 July 2018

Some usefull Openssl commands


Comment Command
Convert pem (base64 certfiles) to pfx openssl pkcs12 -inkey privatekey.pem -in publiccert.pem -export -out output.pfx
remove passphrase from private key file openssl rsa -in EncryptedPrivateKey.pem -out PrivateKey.pem
convert private key to aes192 encrypted private key openssl rsa -in file.key -out aes192.key -aes192
match public and private key

openssl x509 -in cert.crt -text -noout -modulus

openssl rsa -in file.key -check -modulus

manually match moduli

read and verify private key openssl rsa -in file.key -text -check

View

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate below”

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509


openssl.cnf: http://web.mit.edu/crypto/openssl.cnf

Transform

Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them https://www.sslshopper.com/ssl-converter.html


create

#create directories
sudo mkdir /etc/ssl/private
sudo chmod 700 /etc/ssl/private
#generate selfsigned root
sudo openssl req -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -key /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

#new DH group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048