OpenSSL

From DN Wiki
Revision as of 15:43, 22 June 2022 by Dave (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Using OpenSSL to check and manipulate certs.

Certificate Formats

TODO: Add a note here about which format is which. The following is an attempt that's on-the-fly and largely deductive.

  • PFX is binary and contains cert and key.
  • PEM is ASCII HEX with cert (.crt or .pem) and key (.key) in separate files.

Convert PFX to PEM

Extract the key, then the cert, from the PFX. You'll be prompted for password.

openssl pkcs12 -in MY_CERT_AND_KEY.pfx -nocerts -out MY_CERT.key
openssl pkcs12 -in MY_CERT_AND_KEY.pfx -clcerts -nokeys -out MY_CERT.crt

Convert PEM to PFX

Convert PEM cert and key into a PFX file.

openssl pkcs12 -export -in MY_CERT.crt -inkey MY_CERT.key -out MY_CERT.pfx

Validate that Cert and Key Match

If the cert and key are a pair they should generate the same hash.

openssl rsa  -noout -modulus -in MY_CERT.key | openssl md5
openssl x509 -noout -modulus -in MY_CERT.crt | openssl md5

Check a certificate

Check a certificate and return information about it (signing authority, expiration date, etc.):

openssl x509 -in MY_CERT.crt -text -noout

Check a key

Check the SSL key and verify the consistency:

openssl rsa -in MY_CERT.key -check

Check a CSR

Verify the CSR and print CSR data filled in when generating the CSR:

openssl req -text -noout -verify -in MY_CERT.csr

Remove Passphrase from a Key

openssl rsa -in MY_CERT.key -out NO_PWD_CERT.key