meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openssl [2016/03/17 06:21] niziakssl:openssl [2023/06/21 09:56] (current) niziak
Line 1: Line 1:
-==== Add own CA cert ====+====== RSA keys ====== 
 +<code bash>openssl genrsa -des3 -out private.pem 2048</code> 
 +<code>openssl rsa -in private.pem -outform PEM -pubout -out public.pem</code> 
 +Export private key (unencrypted!) 
 +<code>openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM</code> 
 +Export pub key in OpenSSH format: 
 +<code>ssh-keygen -y -f private.pem</code> 
 + 
 +==== CA Bundle ==== 
 +=== Extract CAs form Mozilla === 
 +Direct download link [[https://curl.haxx.se/ca/cacert.pem|cacert.pem]] \\ 
 +Page [[https://curl.haxx.se/docs/caextract.html]] 
 + 
 + 
 +=== Add own CA cert ===
 <code bash> <code bash>
 sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Line 6: Line 20:
  
 ==== Info ==== ==== Info ====
 +Nice site verification tool: [[https://www.ssllabs.com|SSL Labs]]
 +
 <code bash> <code bash>
 openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp openssl s_client -showcerts -connect smtp.gmail.com:587 -starttls smtp
 openssl s_client -connect host.host:9999 openssl s_client -connect host.host:9999
 +
 +# With HTTP server name:
 +openssl s_client -connect host.host:9999 -servername myhostname.domain.com
  
 openssl x509 -in certificate.pem -text openssl x509 -in certificate.pem -text
 +</code>
 +
 +=== Verify crt, csr and key ===
 +<code>
 +openssl x509 -noout -modulus -in certificate.crt | openssl md5
 +openssl rsa -noout -modulus -in privateKey.key | openssl md5
 +openssl req -noout -modulus -in CSR.csr | openssl md5
 </code> </code>
  
Line 18: Line 44:
 openssl genrsa -des3 -out domain.com.key 2048 openssl genrsa -des3 -out domain.com.key 2048
 </code> </code>
 +Remove password from keyfile:
 +<code bash>openssl rsa -in www.key -out new.key</code>
  
 === Generate CSR === === Generate CSR ===
Line 25: Line 53:
  
  
 +=== Server certificate chain ===
 +
 +[[https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2|RFC 4346]]
 +<code>
 +  certificate_list
 +    This is a sequence (chain) of X.509v3 certificates.  The sender's
 +    certificate must come first in the list.  Each following
 +    certificate must directly certify the one preceding it.  Because
 +    certificate validation requires that root keys be distributed
 +    independently, the self-signed certificate that specifies the root
 +    certificate authority may optionally be omitted from the chain,
 +    under the assumption that the remote end must already possess it
 +    in order to validate it in any case.
 +</code>
 +
 +
 +It is required to put not only site certificate in your web server configuration, but also provide intermediate certificate chain.
 +If your server certificate is in PEM format (text), additional certificates can be simply concatenated.
 +All certificates should be in correct order.
 +To verify order
 +<code>openssl s_client -connect gmail.com:443 -servername gmail.com</code>
 +<code>
 +Certificate chain
 + 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
 +   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 + 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 +   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 + 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 +   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 +</code>