Difference between revisions of "SSL Howto"

From S23Wiki
Jump to: navigation, search
 
Line 34: Line 34:
 
You maybe asked for the password, if the pfx is protected.
 
You maybe asked for the password, if the pfx is protected.
 
This will generate a single file with the key and cert's
 
This will generate a single file with the key and cert's
 +
 +
 +
* remove the Passsprase from a private key
 +
openssl rsa -in pravatekey.proctected.pem -out privatekey.pem
  
  

Latest revision as of 09:20, 31 July 2014

A few handy hints and tips for messing with SSL certs and keys

  • Dump the certificate
openssl x509 -in url.crt
  • Dump the certificate details (-noout supresses output of the certificate itself)
openssl x509 -in url.crt -noout -text
  • Find out the issuer of a certificate (useful for determining the chain file needed)
openssl x509 -in url.crt -noout -issuer
  • Display the valid from/valid to dates
openssl x509 -in url.crt -noout -dates

Check that a key and cert match

  • Find the modulus for both the cert and the key
openssl x509 -in url.crt -noout -modulus
openssl rsa -in url.key -noout -modulus

If they match, then the key is a pair with the certificate. See also Cert-Key_Match.


  • Convert a .pfx / pkcs12 to PEM

pkcs12 is a combined key / cert data format, to convert it to a pem:

openssl pkcs12 -in url.pfx -out url.pem -nodes

You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's


  • remove the Passsprase from a private key
openssl rsa -in pravatekey.proctected.pem -out privatekey.pem


Test an SSL site

openssl s_client -connect www.example.com:443


  • Check on a csr (Certificate Signing Request)
 openssl req -noout -text -in foo.csr 


  • Generate a csr (Certificate Signing Request)
openssl req -new -out foo.csr