-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The SSL/TLS open source toolbox demystified

We use SSL (x509 to say it correctly) certificates every day without really noticing it. But what is more important than security in data exchanges ? Nothing. Here is some kind of a small cheat sheet on how to do common things with OpenSSL.

The first element you’ll need if you want to generate a certificate is to create a private key with which you’ll sign requests/certificates.

Create a password-protected key

The key we’re about to create is password-protected. This obviously means that each time you or a deamon will use it, it will prompt for the password. This is definitely something you won’t want for a webserver as at every service restart you’ll be obliged to fill-in the password. but anyway this is how to generate a password-protected key:

openssl genrsa -des3 -out protected.key 2048
	Generating RSA private key, 2048 bit long modulus
	.........................+++
	......................................+++
	e is 65537 (0x10001)
	Enter pass phrase for protected.key: protected
	Verifying - Enter pass phrase for protected.key: protected

Not so long ago (1 year), certificate requests created by private keys of 1024 bits long could be signed, but this changed. Now you’re required to use 2048 bits long keys, and this length requirement will certainly increase in the next years.

As every file (except one that we’ll see later) we’re creating is a plain text, don’t be afraid to have a look on the content of the generated file :

cat protected.key 
	-----BEGIN RSA PRIVATE KEY-----
	Proc-Type: 4,ENCRYPTED
	DEK-Info: DES-EDE3-CBC,3989F5A8F66C7D52

	XoUHCMvVb65gw48e6zpQ02mMaYCis3kQ9yoVzXpqN1YDV8+/jNZqgvZHZXTGVowf
	K16ZgNdPfbKPKVtTNyDbo8+8lOBV2FGL5bP0cCeO6YNE0G3BO1HdJB3g4AAlUH4P
	GDORxnEjSkdzXcxo6pYQeeUONmnchUv1L8tOHySXLO0IKy3A8/uSCrh6V2m4tt4y
	DdYH74u6B5YRHnix2jEaC+JcEZ2hemdyiAkf9k8vLf0ml3E3qJFKz+JexZCgF6Sb
	1FX2zJZA3opk+244QFe2ncYGuvcN9F3dCN6y7b8WkAnJaWeHczb6V2zvFsbAuJ7B
	xUFvMjPEAPzdUu1JilDffb07ZRdICJGQldfxmT126O4yd+hhHXiBEK1jAZ+3+3wr
	SVxIo4sSag4B0xscWAQln+KmN+E+6FFEzXQONsMVvjalED+y5wfoB3XjmZeCDFFJ
	fzZ3QuLxDWlhCDmQWo+pjQmRTs4r774Hnr6+TjpX+QM+KFRnRwysAo9cykS/tsXZ
	2b3zrJWeeI+8vINP08YulsIC7Y5tSJwAyKw51IXQeJo5MHb5cj5IH4cgRfcIk0iu
	uuqaS0SbYVHN8TvSUcLgyCOb/45g/+j0paW+p4c0m+34/nmcUuQvUCNcg0QbRPIm
	LK2ETQKPfyd0k+DkiEhnuFzpgg2jev4XV6MwP0b8sW7w0Uz/gWzZsDk+3VD9my7h
	UzYpp2/syUPpg9Q8XOBZeqHRB0I9IJoVMi0LVibcUIqtK998QoY2yp7KSk0KEkqn
	gNf21VrXGIla+f/QkefXmrQROxRx+mooaIuo9jWJWeCggS3fEKg7Rj0zbKtOWX5f
	UQ04Z5gnGcJRjH89eKmidA6wCM2K3w8N+w6jDvYuxN90Y7AUvi66b6mRFN3mMkxM
	5FVlQVJAjMcMqpscOlPW4pwl3/K96B//ll7LurtYvip8asJLeT+qLQH53t2Z8ysY
	W8bMkOB+oDvoxYZx+oQ+9RM7dO1CeWL10JkRZWIbbKomR98rtnvxfFt5MmiUbRsM
	UyvtYn3r/BwYC0bMdNPTpznYsdbmXGoA0dqh9KBQxIq4XcSk1ylUkzXwiy+no1if
	ffxuAf8EP2knyTEqcQijymfRgYH20H+6CjppXnblldVGdeXnMvgrcJPV2iIIn3ls
	rrkAfjJuvWfdSCO+1HUHwrlq8qIr7/XYiTFXxehyHECz+HoeRBgiqPmo5JUcraSH
	yiDXW0NGGGGyvOBffCg3h7lezOTOh0tl0xnwztfhYpn90f7aZksakVV3yv6pkVnA
	Mx+TaMmaeytrQghlMI/Z9T88FxHaA8CKR7iqB/aEe1qHglIELjkQ0ceX5mmNn3ur
	dzxEywT+capFB67JkmdQ8rtoiSa4URJIknk1uJCNEryqsTCX+c3pn8M93anxl7wI
	bWIETsNFuuENEidZXImc1A8+sTdQsTQcnqWNIj+dH+P0mtEYTUu6fmpDft7qlHdp
	mOox3zDkqm3SrD/i7ySxYG+Vc2NlcNGtI1gnO63H//JqEZuuYeMXmEg0K/miXSHs
	9p2JQ4QG+HTNkfcdJPVRmZc+v1OowEiDtNGoP3/VgK5Wjtzb7GAxyQ==
	-----END RSA PRIVATE KEY-----

Remove password protection of a key

This is the operation you will have to do if you have a password protected and one of the usages of it requires you to remove it. Please note that the original key keeps unmodified.

openssl rsa -in protected.key -out unprotected.key
	Enter pass phrase for protected.key:
	writing RSA key

Now, when looking on the content of the file, we don’t see any encryption reference, meaning that the key is now unprotected:

cat unprotected.key 
	-----BEGIN RSA PRIVATE KEY-----
	MIIEowIBAAKCAQEAp1GxBzAZ/cBfe9vf2vqyz4Q18tZW/LNQrqEo9rrLcGXl7PnX
	YXqPh2eLT1IndPxebTrd/UH+qemVnQMeGcM1Qln4fq291npZ94N4ltpSlLYYHv1P
	bHjzgW0wisD8y3Kv5F8FNwXOK13vPdANEL0N8CkVX4zWQc/3tob0/AQ73ZKrkpIQ
	88SgYS/vIn+7cqJ8Hl/0KSeS+14K23o0K55UrdHPGyfPKkubLm2J187/qKOhCsaI
	20HmO8r84ryd/z66Qm4MjhEl30Zq/0SBJbm3Qocd+DtyR/zuc3w4u1bVxn9YETmD
	jJZgpMEsyLc8rmK9oKnreTbVl63A1UHLWB5SnwIDAQABAoIBAEzAlZN1hka3q1VW
	3E5IOCQnQtQdbJPI8dbZiL/9mfr6U0msphdKMHLtlaMSTZVFe09h9JkLX/Wzd/Up
	i/JHcLP6L5p0uqObRo/a2ENi7QTYryHwEzHwHcueOek8c/ojpvn8eJjv6c5M7cUO
	HiAyiSVEw1Ase9B+xOQO7mx4yLlvo5wMxykwXqrfbF9IAvs69tVKkrONBP4EdiZw
	/x07bUfP2LBIWDV1o0BTaIQW5es5AI7vloogZ8JhJD971Rqijqq3sQIlRRsTHm0E
	FJmccL+QuPZzsaES/PJ0OBuFyHPUzBmPj07NT2UzIsqserXzO2UUc2sBQ7pJxpEJ
	iOtGZRECgYEA1UPVpN63KDNXdzYp+5AXzpRZsDAkEA4wZj7Y30AcmhRxrXkefUNc
	zJPE6GEk/3rU3GRPZ15UUQxC8Mu0sswER3ISDAbEfqQH2LiaK+cO/4BtmnxjL45u
	nZTxfNw0K7ihEOKHhO9OMtoE5lQyaAcVg3WGguJs+cdX9dBaoWr8tgcCgYEAyNjn
	iLysvDLNAStSCwge8JrL5GTsg9zklDqbi4Th6BP/NngbJahPv9jgIJP0JQhkN1hr
	hSwbvvkKun+Dy+kNmFSk1BrTxjdZ15UHW+o+jS5PXF7t4XRuRaaTtFIT8PcysTsU
	ZEkpO2dfZbMwtjc0azTSWrAbjuOXwUVDC72amKkCgYEArcXlWr8jLP2QwpF+6f2C
	eJCG+Dpx2CdHpriFDHx4EdCgxEJR5q2x+vxZUSR++jGDKsYNsWO6foPoM7840QvO
	XM0FCYmmKK7NufjJnwZaQTTLmjrKsyBy37JSh3QCirGZhGGhHV/FL0hY/7kRjZRg
	IkrsPM/1Dh4xfRm2D5tWqZcCgYBWvp+ZRevQyJwUAjLIAvTh8+lVtmUUOoYaowll
	A7pR8rkKPGt1IzF2aWO7jksm523pHW4qsTc2jvccP1Cb9AbkIMKjvQZ0GJnb60in
	YQ8tCLBL89AHzLKHsH8gpUZpj0o8k4imG5cMSgRAt1i1ijhAiSrE8kSkvRVg6tof
	Kv+nKQKBgCbo741W7zhatPAHNw3VbfjWoXX1jVC9Vm48CaweQrCD/dL4jYiA/p9R
	ysW6yFNMPbfUjBWFCp7yGagluKcsugyIzB+IklqYolkks0/O+/idk75rQJM5GPbs
	Cx7CauDozTbbAH0Vq52Yn1Vszapt7rSXmPIctMX97WoKGTVYH0X9
	-----END RSA PRIVATE KEY-----

Create a password less key

If you don’t need at all password protection on a key, this is how to generate one directly without protection:

openssl genrsa -out noprotection.key 2048
	Generating RSA private key, 2048 bit long modulus
	.................................................................+++
	...............................................................+++
	e is 65537 (0x10001)
	
cat noprotection.key 
	-----BEGIN RSA PRIVATE KEY-----
	MIIEowIBAAKCAQEAzBA5nxOiSYERdbG8Nzt3YB61CUBCfeWSzHbTWDatqOMRBl27
	BNpvE6Nv2lmiUWycou3HZxcW87uGDhNLbHJpl4drQXaJ/hQHWDLkAus3PrXul1Ha
	WKEJpjuLb6C11ZAyNN4NdoBeTcCd5iFpDXd6Kco6FSF1zIosl1/HnwWOCyLnyaqC
	2IBoARzH4AFPNlV2xCDDtQQOwyIWgfNPaSnDhsLQO5HZVxz2U96akd8GHvajBXck
	fIbVQD3I8yR16O3Inc0Wy9Rp//UWdW89WgzoQmBc/h6gTHw1/t50fcFJfFS5YsaV
	UBy00UEI5sShzDgBuZn4fjGPYIl7BI8laH50twIDAQABAoIBACnK0OJBdSU0p8zA
	39k39pTa9Ry16mg6UjxJwbL5T8uc5Wm2XIz752/QMyI25UVjxxifNg1o7yxvpV7Q
	mMvXCsUb2N2JV22P0IlBsuzeG2xeekTHYL5yDLXc0AvGkDby1zV4nK0+URH/dtcg
	1JELfRt97TNSrPt8+PDvjsSEsLiayaujMxX4iLIYkLM9ZTchwsm+fr61QOJyP5fS
	aI+ssUKpRfEIqu6JvZJzAF01bbDiw6m3pTXgTCYPZsNjqd5Ryhr7lGYRUAc/m11C
	Z802j0eA66F13CtdBp/1M66ba70dl+ikFymc9zB9kljEogqieWoDcBwvSXZWZd9e
	PIUVVWECgYEA82MOt97kWbX+7dRnd0xS1pG1KxKrueFDuwTbcQBzlj/MeZmfOSvs
	3P1OUVlZeRm1RnRxNh+iBEEW0D+UbptsZujV4WkDbY2rN4V67zya5doAjN7ShQAp
	qhzq96C5wSRoTqczTdL0hnSt/9FncAej+KsX9C0USgbdOe4rRmhqH1kCgYEA1qN5
	N+/QMGwglUVt0Fnf88j1ma3nRgySI+h5oWlWEYTdEvSF3wLHMclL/ROjXTeZi6E/
	oPkcxs4HQZV+wyx6KfXbywpv01omHbWrzo+cRCHzzJFABXSBgTiVsVs8DbFZ6l2o
	uKL1IEICjzMPtCp+0zkQHA0SooLCVkNc0O/yQo8CgYEAkco/ccKxNE/BUgNOqvZs
	FJ2ZUSDQ/vpB0RAaxrjHhDPZLunnp555NvMA69fCsbjFjluHySzvpu66VKoRJqQx
	Lf/AxlJaPFCFRC/PsOizvIV2mOuMXSD41C6YTRbYzioZ1StwnuiDktrns3pjJIdf
	IECUi65JHgK4l8/j2jwHfZkCgYB4gMr7hp4BsZMReytOAEdlnPuWTjY7867QjiJL
	ZtI1f7yGedX3AJ5I61TIPxBGs4J3DA6nF3T6gI0+WuoSNZRYnnnJopBpvoELyQUu
	MR5wegdgYGPrLB/RJq2UJz6uCVYL6I1jK8onVCgPsYEti3YsrCrJNOWza2oj+CnR
	/AStLQKBgBEMJUnqxow8X7T5Cigta85Ywkap/7PGBfplKvubucw1EwfDsXIqm5wr
	JOlwrgZcU8zKS4FmRsWN2hrPHy4PvP4jDxO6PSDjCcLe8IjYwLDZ2kcgPLgb0GP7
	QeQVg9Vq5USq5ObjtjeE4cLOd0ELIrq2u9E5Ypn2eQaLxks6azi+
	-----END RSA PRIVATE KEY-----

Generate a certificate signing request (CSR)

Here is where you fill the informations that you want to appear in the certificate when it gets signed by the certificate authority (CA). Although every information is important and needs to match the reality (The CA will ask you for official papers that shows the same informations in order to process with signing), only one is really important : Common Name (eg, YOUR name). This is the place where you put the FQDN of your service you’ll use the certificate, in this case bkraft.fr as I want to be able to use it on this very website.

openssl req -new -key noprotection.key -out request.csr  
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:FR
	State or Province Name (full name) [Some-State]:France
	Locality Name (eg, city) []:Amnéville
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:BKRAFT 
	Organizational Unit Name (eg, section) []:testing stuff
	Common Name (eg, YOUR name) []:bkraft.fr	// ! HERE !
	Email Address []:benj@bkraft.fr

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:
	An optional company name []:

The created file is also a plain text file:

cat request.csr 
- -----BEGIN CERTIFICATE REQUEST-----
MIIC1TCCAb0CAQAwgY8xCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxEzAR
BgNVBAcUCkFtbsOpdmlsbGUxDzANBgNVBAoTBkJLUkFGVDEWMBQGA1UECxMNdGVz
dGluZyBzdHVmZjESMBAGA1UEAxMJYmtyYWZ0LmZyMR0wGwYJKoZIhvcNAQkBFg5i
ZW5qQGJrcmFmdC5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwQ
OZ8TokmBEXWxvDc7d2AetQlAQn3lksx201g2rajjEQZduwTabxOjb9pZolFsnKLt
x2cXFvO7hg4TS2xyaZeHa0F2if4UB1gy5ALrNz617pdR2lihCaY7i2+gtdWQMjTe
DXaAXk3AneYhaQ13einKOhUhdcyKLJdfx58Fjgsi58mqgtiAaAEcx+ABTzZVdsQg
w7UEDsMiFoHzT2kpw4bC0DuR2Vcc9lPempHfBh72owV3JHyG1UA9yPMkdejtyJ3N
FsvUaf/1FnVvPVoM6EJgXP4eoEx8Nf7edH3BSXxUuWLGlVActNFBCObEocw4AbmZ
+H4xj2CJewSPJWh+dLcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBVCJXLH/7O
IXIzv8CTj3cMskMsdjUDISsjXmtJK6iYcIOqLPiJc2bzuwV3EP7PVMwoW9cyyukO
nMexBVfFGWARqq1Tu+lGor0u/FZBMl7C4oUjSFVc/AMOwBRZSLbfSb7+wu5hLk57
80ADc/4l0HO44tQdCoOKu6gQtns2lN6geYXB3UIS3sMRo65e25NcQDN+MwJI1mXw
t7If444HBSnyWdL0q29uXONCQJ4i0WZsswPSBh67P0Vt89MJ4C1E4KjvT9Uk6b3P
WoDkxOEumNhWGEiYt+iP01aXnA9t9ygDywUUn1HlKqp8+McxHoIgYejdWN6eKNk1
HMmG8Z0zbv7K
- -----END CERTIFICATE REQUEST-----

Viewing the contents of a certificate signing request (CSR)

This is how you can have a second look on the informations filled in the previously created CSR:

openssl req -in request.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=France, L=Amn\xC3\xA9ville, O=BKRAFT, OU=testing stuff, CN=bkraft.fr/emailAddress=benj@bkraft.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:10:39:9f:13:a2:49:81:11:75:b1:bc:37:3b:
                    77:60:1e:b5:09:40:42:7d:e5:92:cc:76:d3:58:36:
                    ad:a8:e3:11:06:5d:bb:04:da:6f:13:a3:6f:da:59:
                    a2:51:6c:9c:a2:ed:c7:67:17:16:f3:bb:86:0e:13:
                    4b:6c:72:69:97:87:6b:41:76:89:fe:14:07:58:32:
                    e4:02:eb:37:3e:b5:ee:97:51:da:58:a1:09:a6:3b:
                    8b:6f:a0:b5:d5:90:32:34:de:0d:76:80:5e:4d:c0:
                    9d:e6:21:69:0d:77:7a:29:ca:3a:15:21:75:cc:8a:
                    2c:97:5f:c7:9f:05:8e:0b:22:e7:c9:aa:82:d8:80:
                    68:01:1c:c7:e0:01:4f:36:55:76:c4:20:c3:b5:04:
                    0e:c3:22:16:81:f3:4f:69:29:c3:86:c2:d0:3b:91:
                    d9:57:1c:f6:53:de:9a:91:df:06:1e:f6:a3:05:77:
                    24:7c:86:d5:40:3d:c8:f3:24:75:e8:ed:c8:9d:cd:
                    16:cb:d4:69:ff:f5:16:75:6f:3d:5a:0c:e8:42:60:
                    5c:fe:1e:a0:4c:7c:35:fe:de:74:7d:c1:49:7c:54:
                    b9:62:c6:95:50:1c:b4:d1:41:08:e6:c4:a1:cc:38:
                    01:b9:99:f8:7e:31:8f:60:89:7b:04:8f:25:68:7e:
                    74:b7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        55:08:95:cb:1f:fe:ce:21:72:33:bf:c0:93:8f:77:0c:b2:43:
        2c:76:35:03:21:2b:23:5e:6b:49:2b:a8:98:70:83:aa:2c:f8:
        89:73:66:f3:bb:05:77:10:fe:cf:54:cc:28:5b:d7:32:ca:e9:
        0e:9c:c7:b1:05:57:c5:19:60:11:aa:ad:53:bb:e9:46:a2:bd:
        2e:fc:56:41:32:5e:c2:e2:85:23:48:55:5c:fc:03:0e:c0:14:
        59:48:b6:df:49:be:fe:c2:ee:61:2e:4e:7b:f3:40:03:73:fe:
        25:d0:73:b8:e2:d4:1d:0a:83:8a:bb:a8:10:b6:7b:36:94:de:
        a0:79:85:c1:dd:42:12:de:c3:11:a3:ae:5e:db:93:5c:40:33:
        7e:33:02:48:d6:65:f0:b7:b2:1f:e3:8e:07:05:29:f2:59:d2:
        f4:ab:6f:6e:5c:e3:42:40:9e:22:d1:66:6c:b3:03:d2:06:1e:
        bb:3f:45:6d:f3:d3:09:e0:2d:44:e0:a8:ef:4f:d5:24:e9:bd:
        cf:5a:80:e4:c4:e1:2e:98:d8:56:18:48:98:b7:e8:8f:d3:56:
        97:9c:0f:6d:f7:28:03:cb:05:14:9f:51:e5:2a:aa:7c:f8:c7:
        31:1e:82:20:61:e8:dd:58:de:9e:28:d9:35:1c:c9:86:f1:9d:
        33:6e:fe:ca

Generate a multidomain certificate signing request (CSR)

This is the only particular case. We’ve previously created a certificate that matches only bkraft.fr. But it’s possible to have what’s so called a multidomain certificate. For creating such a certificate, it’s the same command than when generating a standard CSR but we need to use a locally modified openssl.conf that enables x509 v3 extensions in order to permit us to specify subjectAltName.

//This is where openssl.conf lies on a mac. On linux it should be in /etc
cp /System/Library/OpenSSL/openssl.cnf local_openssl.cnf
cat >> local_openssl.cnf <<EOF
[req]
req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alt_names

[ alt_names ]
DNS.1   = bkraft.fr
DNS.2   = dotnul.com
OEF

Now proceed with the generation of the certificate signing request. The only thing is to specify the first DNS.1 alternate name as the Common Name in this certificate signing request:

openssl req -new -config local_openssl.cnf -key noprotection.key -out multidomain.csr
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:FR
	State or Province Name (full name) [Some-State]:France
	Locality Name (eg, city) []:Amnéville
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:BKRAFT
	Organizational Unit Name (eg, section) []:.
	Common Name (eg, YOUR name) []:bkraft.fr
	Email Address []:benj@bkraft.fr

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:
	An optional company name []:

Here is the content of our Multidomain CSR:

openssl req -in multidomain.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=France, L=Amn\xC3\xA9ville, O=BKRAFT, CN=bkraft.fr/emailAddress=benj@bkraft.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:10:39:9f:13:a2:49:81:11:75:b1:bc:37:3b:
                    77:60:1e:b5:09:40:42:7d:e5:92:cc:76:d3:58:36:
                    ad:a8:e3:11:06:5d:bb:04:da:6f:13:a3:6f:da:59:
                    a2:51:6c:9c:a2:ed:c7:67:17:16:f3:bb:86:0e:13:
                    4b:6c:72:69:97:87:6b:41:76:89:fe:14:07:58:32:
                    e4:02:eb:37:3e:b5:ee:97:51:da:58:a1:09:a6:3b:
                    8b:6f:a0:b5:d5:90:32:34:de:0d:76:80:5e:4d:c0:
                    9d:e6:21:69:0d:77:7a:29:ca:3a:15:21:75:cc:8a:
                    2c:97:5f:c7:9f:05:8e:0b:22:e7:c9:aa:82:d8:80:
                    68:01:1c:c7:e0:01:4f:36:55:76:c4:20:c3:b5:04:
                    0e:c3:22:16:81:f3:4f:69:29:c3:86:c2:d0:3b:91:
                    d9:57:1c:f6:53:de:9a:91:df:06:1e:f6:a3:05:77:
                    24:7c:86:d5:40:3d:c8:f3:24:75:e8:ed:c8:9d:cd:
                    16:cb:d4:69:ff:f5:16:75:6f:3d:5a:0c:e8:42:60:
                    5c:fe:1e:a0:4c:7c:35:fe:de:74:7d:c1:49:7c:54:
                    b9:62:c6:95:50:1c:b4:d1:41:08:e6:c4:a1:cc:38:
                    01:b9:99:f8:7e:31:8f:60:89:7b:04:8f:25:68:7e:
                    74:b7
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:bkraft.fr, DNS:dotnul.com // Here they are :)
    Signature Algorithm: sha1WithRSAEncryption
        3b:d8:9c:3b:3f:51:d0:8d:48:d1:24:8c:9c:83:5e:1e:59:cc:
        92:a7:71:e2:16:6a:c6:3a:39:f8:5a:79:cf:5b:37:05:d3:b0:
        cd:ea:79:62:6d:81:06:d6:d5:55:b8:c9:a7:d4:14:ef:81:11:
        5e:65:5b:4d:fd:ab:01:e9:0d:ee:5f:2e:24:38:46:5d:99:7e:
        f1:5c:32:5b:0c:ff:fc:3d:f0:d9:81:db:26:26:bb:ba:b6:94:
        a6:a1:1e:90:ba:da:b7:92:73:dd:9e:e0:11:ee:cf:05:2b:d0:
        e0:2a:54:57:2a:31:74:f1:1b:43:86:f0:96:f4:a1:bc:6f:f2:
        3d:f1:d5:11:81:a3:58:16:23:a4:b7:4f:39:83:3c:f5:ca:e1:
        6b:4e:47:8d:50:a2:9d:38:4f:f4:dd:4e:89:1a:74:58:5d:2d:
        de:cb:62:5b:0b:74:99:db:e9:d4:61:ef:86:94:8c:1b:c8:84:
        93:ab:c3:aa:a0:ed:a8:0e:6d:a0:ee:e8:b6:15:04:02:7d:94:
        ba:29:2c:ee:e1:19:94:51:29:17:a5:dc:68:2a:a9:a8:a9:15:
        f7:58:4a:08:5e:26:7a:1b:88:1c:c3:27:f9:e3:91:f0:15:74:
        a4:04:73:e6:53:14:5d:67:21:a1:9b:83:36:b4:70:9f:30:a0:
        09:d7:82:c0

Self-signing a certificate signing request (CSR)

Sometimes needed:

openssl x509 -req -days 365 -in request.csr -signkey noprotection.key -out selfsigned.crt
	Signature ok
	subject=/C=FR/ST=France/L=Amn\xC3\xA9ville/O=BKRAFT/OU=testing stuff/CN=bkraft.fr/emailAddress=benj@bkraft.fr
	Getting Private key

Viewing the contents of a certificate

openssl x509 -in selfsigned.crt -text -noout                                             
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            8a:a3:c6:cb:36:64:a4:e3
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, L=Amn\xC3\xA9ville, O=BKRAFT, OU=testing stuff, CN=bkraft.fr/emailAddress=benj@bkraft.fr
        Validity
            Not Before: Jun 17 08:22:07 2012 GMT
            Not After : Jun 17 08:22:07 2013 GMT
        Subject: C=FR, ST=France, L=Amn\xC3\xA9ville, O=BKRAFT, OU=testing stuff, CN=bkraft.fr/emailAddress=benj@bkraft.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:10:39:9f:13:a2:49:81:11:75:b1:bc:37:3b:
                    77:60:1e:b5:09:40:42:7d:e5:92:cc:76:d3:58:36:
                    ad:a8:e3:11:06:5d:bb:04:da:6f:13:a3:6f:da:59:
                    a2:51:6c:9c:a2:ed:c7:67:17:16:f3:bb:86:0e:13:
                    4b:6c:72:69:97:87:6b:41:76:89:fe:14:07:58:32:
                    e4:02:eb:37:3e:b5:ee:97:51:da:58:a1:09:a6:3b:
                    8b:6f:a0:b5:d5:90:32:34:de:0d:76:80:5e:4d:c0:
                    9d:e6:21:69:0d:77:7a:29:ca:3a:15:21:75:cc:8a:
                    2c:97:5f:c7:9f:05:8e:0b:22:e7:c9:aa:82:d8:80:
                    68:01:1c:c7:e0:01:4f:36:55:76:c4:20:c3:b5:04:
                    0e:c3:22:16:81:f3:4f:69:29:c3:86:c2:d0:3b:91:
                    d9:57:1c:f6:53:de:9a:91:df:06:1e:f6:a3:05:77:
                    24:7c:86:d5:40:3d:c8:f3:24:75:e8:ed:c8:9d:cd:
                    16:cb:d4:69:ff:f5:16:75:6f:3d:5a:0c:e8:42:60:
                    5c:fe:1e:a0:4c:7c:35:fe:de:74:7d:c1:49:7c:54:
                    b9:62:c6:95:50:1c:b4:d1:41:08:e6:c4:a1:cc:38:
                    01:b9:99:f8:7e:31:8f:60:89:7b:04:8f:25:68:7e:
                    74:b7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        8f:b5:97:34:9d:83:9b:98:a6:6f:73:f2:46:b6:91:d5:56:c4:
        47:4a:3c:72:62:92:bd:55:9f:49:e6:b0:33:21:4d:fa:9a:d6:
        c4:e9:76:5c:8f:ae:3d:22:93:58:3b:5f:c1:7a:bc:66:73:07:
        25:55:27:34:2b:73:66:b7:54:ef:3c:35:38:fd:c0:db:16:d3:
        ca:2e:43:f4:cf:9c:90:bb:8e:d6:86:8d:7c:a9:62:43:d1:d9:
        5b:b8:0e:a6:37:d9:bb:5e:f9:fa:df:77:41:36:33:a9:71:32:
        51:fc:71:25:02:7a:c9:67:83:72:e7:ff:e1:58:27:b3:71:45:
        32:df:96:1a:05:2f:bc:07:bc:4e:9b:bf:e0:f5:7a:6c:8c:cc:
        69:0d:f4:c9:58:35:c2:b7:74:21:6a:b5:3d:8b:12:c7:37:53:
        5b:47:f6:5c:c3:5b:9b:85:8a:57:61:02:f0:5a:44:1f:bf:70:
        a8:60:c5:c5:0a:e2:b0:2f:8a:ba:82:8d:8c:74:19:62:fa:22:
        54:21:b1:4c:42:5a:cf:ba:bd:38:12:b2:3e:ec:b5:0d:bc:ae:
        14:ab:55:82:5a:02:c5:8a:b6:e0:ec:4c:56:de:79:1c:91:2c:
        1b:b6:16:d1:4d:26:ed:46:a6:c1:30:7b:b0:6f:56:9c:ef:cc:
        7b:6b:6a:9f

Remote connection on SSL/TLS enabled port

Doing a telnet on an SSL enabled port won’t get you far as telnet is not designed to handle SSL handshakes. Moreover, TLS is a a way of securing connections on a standard port by switching to an encrypted context after the handshake is done.

Connect to a SSL enabled port :

openssl s_client -connect titan.dclux.com:995

Connect to a TLS enabled port :

openssl s_client -connect titan.dclux.com:25 -starttls smtp

You’re also able to download a remote certificate:

//download a remote certificate (https):
echo quit | openssl s_client -connect eurodns.com:443 -status 2>/dev/null | awk 'BEGIN { insidecert=0 }; /-----BEGIN CERTIFICATE-----/{ insidecert=1 }; {if (insidecert) { print $0 }}; /-----END CERTIFICATE-----/{ insidecert=0 }'

//download a remote certificate (TLS/smtp):
echo quit | openssl s_client -connect titan.dclux.com:25 -starttls smtp -status 2>/dev/null | awk 'BEGIN { insidecert=0 }; /-----BEGIN CERTIFICATE-----/{ insidecert=1 }; {if (insidecert) { print $0 }}; /-----END CERTIFICATE-----/{ insidecert=0 }'

Verify the validity of a certificate:

It’s possible to verify the validity of a certificate, but you’ll need to use the CA-BUNDLE (also called intermediate CA certificate) to do so:

openssl verify -CAfile InstantSSL_26May.ca-bundle -purpose any  test.crt
	test.crt: OK

Convert a certificate to and from Microsoft ® PKCS12 format

If you didn’t know it, the guys at Microsoft ® like weird stuff. This is the was of bundling a key and a certificate into a format readable by certmgr:

openssl pkcs12 -export -inkey noprotection.key -in selfsigned.crt -name "Windows friendly format" -out cert.p12 
	Enter Export Password: password
	Verifying - Enter Export Password: password

And this is the other way around:

openssl pkcs12 -in cert.p12 -out certfromp12 -nodes -clcerts
	Enter Import Password: password
	MAC verified OK

Using OCSP

OCSP is a not-so used (sigh) protocol to check the status of a certificate or the CA that issued the certificate (should have been usefull in 2011 regarding the case where a subCA issued certificates for google.com :D).

//finding the OCSP url
openssl x509 -noout -text -in test.crt | egrep -i 'ocsp'
	OCSP - URI:http://ocsp.comodoca.com
//finding the serial number of the certificate
openssl x509 -in titantls.crt -serial -noout 
	serial=52BCBA490A90B8E65EA9BA4329D42128
//calling OSCP
openssl ocsp -issuer InstantSSL_26May.ca-bundle -nonce -CAfile InstantSSL_26May.ca-bundle -url http://ocsp.comodoca.com -serial "0x52BCBA490A90B8E65EA9BA4329D42128"
	0x52BCBA490A90B8E65EA9BA4329D42128: good //GOOD !
		This Update: Jun 18 04:12:43 2012 GMT
		Next Update: Jun 22 04:12:43 2012 GMT
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJW5eRJAAoJEBeKS2x6xuR7EK8P/3PFS8OBvj2Aj8/Ccb95xDx9
IyWiJZeQcd/8a6fLJZoxzlZ5ClY3Ir6mbQd07pb2PH+iUpCX1PzVrzPUIsJyB0gT
Kye0csUoNqFhZ4NQVNbZEepzVTCq49RO956a73zw58wK8JjmXP3dOZ7iAQe4n4BQ
j0votoYrKnhTK8D+V/QxFBB8lOvOStF1GrG6GTjHHQx4B+rwDT4/agFTwFkCDE5v
VfDJtP003z7vrp0Emq0BIYPWn6ZL8rz0ttHCk2r4zGl3kPri08xtPu9l9gABuV7y
ftAEObLmRUxGuOvzp4ib+d9XdxhOuqfrHdKxqIuyW8vD+yGKxgVhka5rYtMw0vDh
4J6ABoASCOFh6SWEjaWpmKTrCkmH8Q7ELGz6w+bl0Lx8D3MDpPwVGLkft4ejiq+q
AAk671xnDAMCEec3OUtnvwveZw1IB9jnv02D0B/DDFd/v0FG0kQpE3JWfwf8Q5Z5
5FnOd2nvim00dX4+e8od5omGqBoiifII31aFpaU5QfarAxPXOzeS6T3TCT+NtIHd
xy64Riyol9z9ApXQnJiayTB+wsuUMrpqPfvmWBOGIIGYVA2fCsvN6uvs8aBwOj6c
Djohj1vRIwMFz2odap1YOiJALF6H9VCj+/JIdSzBEf18jc2VHb93d88d1OMnJv7W
ODrcCe9ceGQ1oyPZNRgE
=RrOX
-----END PGP SIGNATURE-----

Hint: To validate signature, please view page source and copy html code between BEGIN PGP Signed message and END PGP Signature anchors.

Created the 2012-06-18

Share this


Article content

Resources

10 last blog posts

Related to this article

blog comments powered by Disqus