Content added Content deleted
imported>DrOwl No edit summary |
imported>DrOwl No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 25: | Line 25: | ||
If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]]. |
If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]]. |
||
* Convert a .pfx / pkcs12 to PEM |
|||
pkcs12 is a combined key / cert data format, to convert it to a pem: |
|||
openssl pkcs12 -in url.pfx -out url.pem -nodes |
|||
You maybe asked for the password, if the pfx is protected. |
|||
This will generate a single file with the key and cert's |
|||
* remove the Passsprase from a private key |
|||
openssl rsa -in pravatekey.proctected.pem -out privatekey.pem |
|||
'''Test an SSL site''' |
'''Test an SSL site''' |
||
Line 39: | Line 53: | ||
* Generate a csr (Certificate Signing Request) |
* Generate a csr (Certificate Signing Request) |
||
Version 9 you can use openssl |
|||
openssl req -new -out foo.csr |
openssl req -new -out foo.csr |
||
Versin 4.5 use genconf, which will prompt you for all information. |
|||
genconf |
|||
you will be asked to enter all the customers information (probably the same as the older scr, which can be found in '/config/ssl/ssl.csr' on big ip v9) |
|||
[[Category:UNIX]] |
[[Category:UNIX]] |
||
[[Category:SSL]] |
[[Category:SSL]] |
||
[[Category:F5]] |
Latest revision as of 17:20, 31 July 2014
A few handy hints and tips for messing with SSL certs and keys
- Dump the certificate
openssl x509 -in url.crt
- Dump the certificate details (-noout supresses output of the certificate itself)
openssl x509 -in url.crt -noout -text
- Find out the issuer of a certificate (useful for determining the chain file needed)
openssl x509 -in url.crt -noout -issuer
- Display the valid from/valid to dates
openssl x509 -in url.crt -noout -dates
Check that a key and cert match
- Find the modulus for both the cert and the key
openssl x509 -in url.crt -noout -modulus openssl rsa -in url.key -noout -modulus
If they match, then the key is a pair with the certificate. See also Cert-Key_Match.
- Convert a .pfx / pkcs12 to PEM
pkcs12 is a combined key / cert data format, to convert it to a pem:
openssl pkcs12 -in url.pfx -out url.pem -nodes
You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's
- remove the Passsprase from a private key
openssl rsa -in pravatekey.proctected.pem -out privatekey.pem
Test an SSL site
openssl s_client -connect www.example.com:443
- Check on a csr (Certificate Signing Request)
openssl req -noout -text -in foo.csr
- Generate a csr (Certificate Signing Request)
openssl req -new -out foo.csr