meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openssl [2016/03/15 10:08] niziakssl:openssl [2023/06/21 09:56] (current) niziak
Line 1: Line 1:
-==== Add own CA cert ====+====== RSA keys ====== 
 +<code bash>openssl genrsa -des3 -out private.pem 2048</code> 
 +<code>openssl rsa -in private.pem -outform PEM -pubout -out public.pem</code> 
 +Export private key (unencrypted!) 
 +<code>openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM</code> 
 +Export pub key in OpenSSH format: 
 +<code>ssh-keygen -y -f private.pem</code> 
 + 
 +==== CA Bundle ==== 
 +=== Extract CAs form Mozilla === 
 +Direct download link [[https://curl.haxx.se/ca/cacert.pem|cacert.pem]] \\ 
 +Page [[https://curl.haxx.se/docs/caextract.html]] 
 + 
 + 
 +=== Add own CA cert ===
 <code bash> <code bash>
 sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Line 6: Line 20:
  
 ==== Info ==== ==== Info ====
 +Nice site verification tool: [[https://www.ssllabs.com|SSL Labs]]
 +
 <code bash> <code bash>
 openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
 openssl s_client -connect host.host:9999 openssl s_client -connect host.host:9999
 +
 +# With HTTP server name:
 +openssl s_client -connect host.host:9999 -servername myhostname.domain.com
  
 openssl x509 -in certificate.pem -text openssl x509 -in certificate.pem -text
 +</code>
 +
 +=== Verify crt, csr and key ===
 +<code>
 +openssl x509 -noout -modulus -in certificate.crt | openssl md5
 +openssl rsa -noout -modulus -in privateKey.key | openssl md5
 +openssl req -noout -modulus -in CSR.csr | openssl md5
 </code> </code>
  
 === Generate key === === Generate key ===
-<code>openssl dhparam -dsaparam -out dh2048.pem 2048</code>+<code> 
 +openssl dhparam -dsaparam -out dh2048.pem 2048 
 +openssl genrsa -des3 -out domain.com.key 2048 
 +</code> 
 +Remove password from keyfile: 
 +<code bash>openssl rsa -in www.key -out new.key</code> 
 + 
 +=== Generate CSR === 
 +<code>openssl req -new -key domain.com.key -out wild.domain.com.csr</code> 
 +With SHA256 
 +<code>openssl req -new -key domain.com.key -out wild.domain.com.csr -sha256</code> 
 + 
 + 
 +=== Server certificate chain === 
 + 
 +[[https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2|RFC 4346]] 
 +<code> 
 +  certificate_list 
 +    This is a sequence (chain) of X.509v3 certificates.  The sender'
 +    certificate must come first in the list.  Each following 
 +    certificate must directly certify the one preceding it.  Because 
 +    certificate validation requires that root keys be distributed 
 +    independently, the self-signed certificate that specifies the root 
 +    certificate authority may optionally be omitted from the chain, 
 +    under the assumption that the remote end must already possess it 
 +    in order to validate it in any case. 
 +</code> 
 + 
 + 
 +It is required to put not only site certificate in your web server configuration, but also provide intermediate certificate chain. 
 +If your server certificate is in PEM format (text), additional certificates can be simply concatenated. 
 +All certificates should be in correct order. 
 +To verify order 
 +<code>openssl s_client -connect gmail.com:443 -servername gmail.com</code> 
 +<code> 
 +Certificate chain 
 + 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com 
 +   i:/C=US/O=Google Inc/CN=Google Internet Authority G2 
 + 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 
 +   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
 + 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
 +   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
 +</code>