×
Create a new article
Write your page title here:
We currently have 3,189 articles on s23. Type your article name above or create one of the articles listed here!



    s23
    s23
    3,189Articles
    Add new page
    in:
    UNIX, SSL

    SSL Howto: Difference between revisions

    Content added Content deleted
    imported>DrOwl
    No edit summary
    imported>DrOwl
    No edit summary
     
    (One intermediate revision by the same user not shown)
    Line 25: Line 25:


    If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]].
    If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]].


    * Convert a .pfx / pkcs12 to PEM
    pkcs12 is a combined key / cert data format, to convert it to a pem:

    openssl pkcs12 -in url.pfx -out url.pem -nodes

    You maybe asked for the password, if the pfx is protected.
    This will generate a single file with the key and cert's


    * remove the Passsprase from a private key
    openssl rsa -in pravatekey.proctected.pem -out privatekey.pem



    '''Test an SSL site'''
    '''Test an SSL site'''
    Line 39: Line 53:
    * Generate a csr (Certificate Signing Request)
    * Generate a csr (Certificate Signing Request)


    Version 9 you can use openssl
    openssl req -new -out foo.csr
    openssl req -new -out foo.csr


    Versin 4.5 use genconf, which will prompt you for all information.

    genconf




    you will be asked to enter all the customers information (probably the same as the older scr, which can be found in '/config/ssl/ssl.csr' on big ip v9)
    [[Category:UNIX]]
    [[Category:UNIX]]
    [[Category:SSL]]
    [[Category:SSL]]
    [[Category:F5]]

    Latest revision as of 17:20, 31 July 2014

    A few handy hints and tips for messing with SSL certs and keys

    • Dump the certificate
    openssl x509 -in url.crt
    • Dump the certificate details (-noout supresses output of the certificate itself)
    openssl x509 -in url.crt -noout -text
    • Find out the issuer of a certificate (useful for determining the chain file needed)
    openssl x509 -in url.crt -noout -issuer
    • Display the valid from/valid to dates
    openssl x509 -in url.crt -noout -dates

    Check that a key and cert match

    • Find the modulus for both the cert and the key
    openssl x509 -in url.crt -noout -modulus
openssl rsa -in url.key -noout -modulus

    If they match, then the key is a pair with the certificate. See also Cert-Key_Match.


    • Convert a .pfx / pkcs12 to PEM

    pkcs12 is a combined key / cert data format, to convert it to a pem: 

    openssl pkcs12 -in url.pfx -out url.pem -nodes

    You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's


    • remove the Passsprase from a private key
    openssl rsa -in pravatekey.proctected.pem -out privatekey.pem


    Test an SSL site 

    openssl s_client -connect www.example.com:443


    • Check on a csr (Certificate Signing Request)
     openssl req -noout -text -in foo.csr


    • Generate a csr (Certificate Signing Request)
    openssl req -new -out foo.csr
    Retrieved from "https://wiki.s23.org/wiki/SSL_Howto?oldid=42871"
    Cookies help us deliver our services. By using our services, you agree to our use of cookies.
    More information
    Cookies help us deliver our services. By using our services, you agree to our use of cookies.
    More information