SSL: Difference between revisions
Creating page |
Added Conversion Section |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 18: | Line 18: | ||
When testing STARTTLS: | When testing STARTTLS: | ||
echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587 | echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587 | ||
==Test a Protocol== | |||
openssl s_client -connect example.domain.com:443 -tls1_3 | |||
You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore): | |||
openssl s_client -connect google.com:443 -tls1 | |||
==CSRs== | |||
===Decode an existing CSR:=== | |||
openssl req -in mycsr.csr -noout -text | |||
===Generate a CSR=== | |||
<p>First, generate a private key in a secure dir with secure permissions. To do: Add instructions for generating '''domain.com.key''' </p> | |||
<p>Second, generate the CSR itself which is paired with that key:</p> | |||
openssl req -new -nodes -key /path/to/domain.com.key -out domain.com.csr | |||
<p>Then fill in the order form. You'll need to save the Challenge Password if you'll want to use PKCS#12/PFX format for the cert.</p> | |||
====If you need a SAN==== | |||
Here are instructions for generating a CSR with a 4096 bit RSA key and a SAN subdomain (a second domain name should work too). You need to enter the whole block at once. | |||
openssl req -new -sha256 -nodes -out \*.$domain.com.csr -newkey rsa:4096 -keyout \*.$domain.com.key -config <( | |||
cat <<-EOF | |||
[req] | |||
default_bits = 4096 | |||
prompt = no | |||
default_md = sha256 | |||
req_extensions = req_ext | |||
distinguished_name = dn | |||
[ dn ] | |||
C=US | |||
ST=$state | |||
L=$city | |||
O=$company name | |||
OU=$company unit | |||
emailAddress=$email@domain.com | |||
CN = www.$domain.com | |||
[ req_ext ] | |||
subjectAltName = @alt_names | |||
[ alt_names ] | |||
DNS.1 = $domain.com | |||
DNS.2 = $whatever.$domain.com | |||
EOF | |||
) | |||
== Convert SSL Files == | |||
PFX/PCKS12 to PEM (you'll need the password that was used with the CSR): | |||
openssl pkcs12 -in cert.pfx -out cert.pem -nodes | |||
PEM to PFX/PCKS12: | |||
openssl pkcs12 -export -out cert.pfx -inkey /path/to/privateKey.key -in cert.pem -certfile CACert.pem | |||
Latest revision as of 15:34, January 16, 2024
OpenSSL
Get Certificate Information
From a Local File
Basic information for verifying a cert:
cat cert.crt | openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
CentOS 7 has an older version installed that doesn't support the -ext flag, but cPanel servers may have ea-openssl11 installed with an alternate binary path:
cat cert.crt | /opt/cpanel/ea-openssl11/bin/openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
Decode everything:
openssl x509 -in cert.crt -text -noout
From a Remote Certificate
openssl s_client -connect example.domain.com:443 -showcerts -CApath /etc/ssl/certs/ </dev/null
Don't show the CA certs:
openssl s_client -connect example.domain.com:443 -CApath /etc/ssl/certs/ </dev/null
Just show cert names, issuer, and dates:
openssl s_client -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
If SNI is involved:
openssl s_client -servername example.domain.com -connect example.domain.com:443 </dev/null |openssl x509 -noout -subject -ext "subjectAltName" -issuer -dates
When testing STARTTLS:
echo | openssl s_client -starttls smtp -crlf -connect example.domain.com:587
Test a Protocol
openssl s_client -connect example.domain.com:443 -tls1_3
You can go all the way down to TLS 1.0 (SSLv3 is so old it's not supported anymore):
openssl s_client -connect google.com:443 -tls1
CSRs
Decode an existing CSR:
openssl req -in mycsr.csr -noout -text
Generate a CSR
First, generate a private key in a secure dir with secure permissions. To do: Add instructions for generating domain.com.key
Second, generate the CSR itself which is paired with that key:
openssl req -new -nodes -key /path/to/domain.com.key -out domain.com.csr
Then fill in the order form. You'll need to save the Challenge Password if you'll want to use PKCS#12/PFX format for the cert.
If you need a SAN
Here are instructions for generating a CSR with a 4096 bit RSA key and a SAN subdomain (a second domain name should work too). You need to enter the whole block at once.
openssl req -new -sha256 -nodes -out \*.$domain.com.csr -newkey rsa:4096 -keyout \*.$domain.com.key -config <( cat <<-EOF [req] default_bits = 4096 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=$state L=$city O=$company name OU=$company unit emailAddress=$email@domain.com CN = www.$domain.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = $domain.com DNS.2 = $whatever.$domain.com EOF )
Convert SSL Files
PFX/PCKS12 to PEM (you'll need the password that was used with the CSR):
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
PEM to PFX/PCKS12:
openssl pkcs12 -export -out cert.pfx -inkey /path/to/privateKey.key -in cert.pem -certfile CACert.pem