TLS (aka SSL)
Table of Contents
- Cheatsheet
- Dump CSR
- Dump CRT
- Dump the certificate chain
- SHA-256 CSR
- Encrypt plain text key
- 2048-bit DH params
- Generate a self-signed certificate
- Generate a certificate signing request (CSR) for an existing private key
- Generate a certificate signing request based on an existing certificate
- Remove a passphrase from a private key
- Check a private key
- Check a certificate
- Check a PKCS#12 file (.pfx or .p12)
- Convert a DER file (.crt .cer .der) to PEM
- Convert a PEM file to DER
- Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
- Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
- Dealing with .PFX keys from Windows
- certwatch
- Testing Tools
- Configuration
- Debugging Using OpenSSL
openssl req -text -noout -verify -in CSR.csr
openssl x509 -in certificate.crt -text -noout
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | \
openssl pkcs7 -print_certs -noout
openssl req -nodes -sha256 -newkey rsa:2048 -keyout xxx.key -out xxx.csr
openssl rsa -in rsa.key -aes128 -out rsa.key.encrypted
openssl dhparam -outform pem -out dh-2048.pem 2048
(see How to Create and Install an Apache Self Signed Certificate for more info):
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 \
-keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl rsa -in privateKey.pem -out newPrivateKey.pem
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
openssl pkcs12 -info -in keyStore.p12
openssl x509 -inform der -in certificate.cer -out certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.der
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
You can add -nocerts to only output the private key or add -nokeys
to only output the certificates.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key \
-in certificate.crt -certfile CACert.crt
If you want to extract private key from a pfx file and write it to PEM file:
openssl pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file:
openssl pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file:
openssl rsa -in privateKey.pem -out private.pem
To test with Curl:
curl -k --verbose https://example.com/secure/service \
--cert 'cert.pem:PASSWORD' --key privatekey.pem
Certwatch can routinely check (cron.daily) TLS certificates and warn
you of impending expiration.
yum install crypto-utils
man certwatch
Add:
CERTWATCH_OPTS="-p 7"
to /etc/cron.daily/certwatch for a one-week warning.
https://www.ssllabs.com/ssldb/index.html
Aggregated reporting: https://www.trustworthyinternet.org/ssl-pulse/
testssl.sh https://github.com/drwetter/testssl.sh
Mozilla SSL Configuration Generator will generate configuration files for all the common web servers.
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
Tools:
https://github.com/tomato42/tlsfuzzer
If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands.
Check an SHA-256 hash of the public key to ensure that it matches with what is in a CSR or private key:
openssl x509 -noout -modulus -in certificate.crt | openssl sha256
openssl rsa -noout -modulus -in privateKey.key | openssl sha256
openssl req -noout -modulus -in CSR.csr | openssl sha256
Check an TLS connection. All the certificates (including Intermediates) should be displayed:
openssl s_client -connect www.paypal.com:443