Difference between revisions of "SSL Howto"

From S23Wiki
Jump to: navigation, search
Line 25: Line 25:
  
 
If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]].
 
If they match, then the key is a pair with the certificate. See also [[Cert-Key_Match]].
 +
 +
 +
* Convert a .pfx / pkcs12 to PEM
 +
pkcs12 is a combined key / cert data format, to convert it to a pem:
 +
 +
openssl pkcs12 -in url.pfx -out url.pem -nodes
 +
 +
You maybe asked for the password, if the pfx is protected.
 +
This will generate a single file with the key and cert's
 +
  
 
'''Test an SSL site'''
 
'''Test an SSL site'''
Line 39: Line 49:
 
* Generate a csr (Certificate Signing Request)
 
* Generate a csr (Certificate Signing Request)
  
Version 9 you can use openssl
 
 
  openssl req -new -out foo.csr
 
  openssl req -new -out foo.csr
  
Versin 4.5 use genconf, which will prompt you for all information.
 
 
genconf
 
  
  
you will be asked to enter all the customers information (probably the same as the older scr, which can be found in '/config/ssl/ssl.csr' on big ip v9)
 
 
[[Category:UNIX]]
 
[[Category:UNIX]]
 
[[Category:SSL]]
 
[[Category:SSL]]
[[Category:F5]]
 

Revision as of 05:18, 24 January 2012

A few handy hints and tips for messing with SSL certs and keys

  • Dump the certificate
openssl x509 -in url.crt
  • Dump the certificate details (-noout supresses output of the certificate itself)
openssl x509 -in url.crt -noout -text
  • Find out the issuer of a certificate (useful for determining the chain file needed)
openssl x509 -in url.crt -noout -issuer
  • Display the valid from/valid to dates
openssl x509 -in url.crt -noout -dates

Check that a key and cert match

  • Find the modulus for both the cert and the key
openssl x509 -in url.crt -noout -modulus
openssl rsa -in url.key -noout -modulus

If they match, then the key is a pair with the certificate. See also Cert-Key_Match.


  • Convert a .pfx / pkcs12 to PEM

pkcs12 is a combined key / cert data format, to convert it to a pem:

openssl pkcs12 -in url.pfx -out url.pem -nodes

You maybe asked for the password, if the pfx is protected. This will generate a single file with the key and cert's


Test an SSL site

openssl s_client -connect www.example.com:443


  • Check on a csr (Certificate Signing Request)
 openssl req -noout -text -in foo.csr 


  • Generate a csr (Certificate Signing Request)
openssl req -new -out foo.csr