Standard

Posted by

Posted on

2009/04/17

Posted under

Miscellaneous

Comments

Leave a comment

Useful openssl one-liners

As a follow up for the certificate authority posting, here are some (hopefully) useful openssl one-liners:

# creating a key
openssl genrsa -aes256 -out user.key 4096

# creating a certificate signing request
openssl req -sha256 -new -key user.key -out user.csr

# signing the certificate signing request with a certificate authority
openssl ca -config ca.config -out user.crt -infiles user.csr

# creating a self sigend certificate
openssl req -sha256 -new -x509 -key user.key -out user.crt

# verify if the ca.crt has really signed user.crt
openssl verify -CAfile ca.crt user.crt

# decrypting the key
openssl rsa -in user.key -out user.key.decrypted

# creating a pkcs#7 format certificate in DER format
openssl crl2pkcs7 -nocrl -certfile user.crt -certfile ca.crt -outform DER -out user.p7c

# creating a pkcs#12 format certificate (IIS)
openssl pkcs12 -export -in user.crt -inkey user.key -out server.pkcs12

# checking the data of a key
openssl rsa -noout -text -in user.key

# checking the data of the certificate request
openssl req -text -noout -in user.csr

# checking the data of a certificate
openssl x509 -noout -text -in user.crt

# checking the data of a pcks#7 certificate
openssl pkcs7 -inform DER -text -print_certs -in user.p7c

# checking the data of a pkcs#12 certificate
openssl pkcs12 -noout -info -in user.pkcs12

# showing the MD5 fingerprint of a certificate
openssl x509 -noout -fingerprint -in user.crt

# showing the SHA1 fingerprint of a certificate
openssl x509 -noout -fingerprint -sha1 -in user.crt

# converting a key from PEM to DER format
openssl rsa -inform PEM -outform DER -in user.key.decrypted -out user.der

# converting a certificate from PEM to DER format
openssl x509 -inform PEM -outform DER -in user.crt -out user.der

# check, if the certificate installation was successful
openssl s_client -connect FQDN:443 -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt | openssl x509 -text | less

# provide an ssl server to test against
openssl s_server -accept 9000 -cert user.crt -key user.key

# verify a s/mime signature
openssl smime -CAfile /usr/local/lib/openssl/certs/ca-bundle.crt -verify -in messagefile >/dev/null

# extract the s/mime Certificate to something usable :-)
openssl smime -pk7out -in messagefile | openssl pkcs7 -print_certs

# show subject, startdate, enddate (validy-time / expire-date)
openssl x509 -noout -subject -startdate -enddate -in user.crt

Leave a comment