OpenSSL: Difference between revisions

From DN Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
<div style="float:right;">__TOC__</div>
<div style="float:right;">__TOC__</div>
Using OpenSSL to check and manipulate certs.
Using OpenSSL to check and manipulate certs.
== Certificate Formats ==
TODO: Add a note here about which format is which. The following is an attempt that's on-the-fly and largely deductive.
* PFX is binary and contains cert and key.
* PEM is ASCII HEX with cert (.crt or .pem) and key (.key) in separate files.


== Convert PFX to PEM ==
== Convert PFX to PEM ==
Line 7: Line 12:
  openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key
  openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key
  openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt
  openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt
== Convert PEM to PFX ==
Convert PEM cert and key into a PFX file.
openssl pkcs12 -export -in MY_CERT.crt -inkey MY_CERT.key -out MY_CERT.pfx


== Validate that Cert and Key Match ==
== Validate that Cert and Key Match ==
If the cert and key are a pair they should generate the same hash.
If the cert and key are a pair they should generate the same hash.
  openssl rsa  -noout -modulus -in wild_ubcmain_com.key | openssl md5
  openssl rsa  -noout -modulus -in MY_CERT.key | openssl md5
  openssl x509 -noout -modulus -in wild_ubcmain_com.crt | openssl md5
  openssl x509 -noout -modulus -in MY_CERT.crt | openssl md5


== Check a certificate ==
== Check a certificate ==

Latest revision as of 15:43, 22 June 2022

Using OpenSSL to check and manipulate certs.

Certificate Formats

TODO: Add a note here about which format is which. The following is an attempt that's on-the-fly and largely deductive.

  • PFX is binary and contains cert and key.
  • PEM is ASCII HEX with cert (.crt or .pem) and key (.key) in separate files.

Convert PFX to PEM

Extract the key, then the cert, from the PFX. You'll be prompted for password.

openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key
openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt

Convert PEM to PFX

Convert PEM cert and key into a PFX file.

openssl pkcs12 -export -in MY_CERT.crt -inkey MY_CERT.key -out MY_CERT.pfx

Validate that Cert and Key Match

If the cert and key are a pair they should generate the same hash.

openssl rsa  -noout -modulus -in MY_CERT.key | openssl md5
openssl x509 -noout -modulus -in MY_CERT.crt | openssl md5

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in MY_CERT.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in MY_CERT.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in MY_CERT.csr

Remove Passphrase from a Key

openssl rsa -in MY_CERT.key -out NO_PWD_CERT.key