brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e405486268e81f2249e100deb304775972774040
oam/knowledge base/openssl.md
Michele Cereda 81d263417b chore(letsencrypt): create valid certificates
2024-05-08 18:46:32 +02:00

237 lines
9.3 KiB
Markdown
Raw Blame History

# OpenSSL
## Table of contents <!-- omit in toc -->
1. [TL;DR](#tldr)
1. [Create a self signed certificate](#create-a-self-signed-certificate)
1. [Display the contents of a SSL certificate](#display-the-contents-of-a-ssl-certificate)
1. [Troubleshooting](#troubleshooting)
1. [Code 20: unable to get local issuer certificate](#code-20-unable-to-get-local-issuer-certificate)
1. [Code 21: unable to verify the first certificate](#code-21-unable-to-verify-the-first-certificate)
1. [Further readings](#further-readings)
1. [Sources](#sources)
## TL;DR
```sh
# Generate pseudo-random passwords.
openssl rand 32
openssl rand -base64 18
# Generate certificate signing requests.
# '-nodes' leaves the output files unencrypted.
openssl req -new -out 'request.csr' \
-newkey 'rsa:2048' -keyout 'private.key'
openssl req -new -out 'request.csr' -key 'private.key'
openssl req -new -out 'domain.req.pem'\
-config 'domain.conf' -days '365' -sha256
# Generate certificate signing requests from existing certificates and keys.
openssl x509 -x509toreq -out 'request.csr' \
-in 'certificate.crt' -signkey 'private.key'
# Generate self-signed certificates.
openssl req -x509 -out 'certificate.pem' \
-newkey 'rsa:4096' -keyout 'private.key' \
-subj '/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.company.com' \
-days '365' -sha256
openssl req -x509 -out 'certificate.pem' … -key 'private.key'
# Check PKCS#12 file (.p12 or .pfx).
openssl pkcs12 -info -in 'keyStore.p12'
# Verify certificate signing requests and print the data given in input
# during their creation.
openssl req -text -noout -verify -in 'request.csr'
# Check existing keys and verify their consistency.
openssl rsa -check -in 'file.key'
# Check certificates or keys and return information about them.
openssl x509 -text -noout -in 'certificate.crt'
openssl rsa -text -noout -in 'private.key'
# Verify certificate chains.
# If a certificate is its own issuer, it is assumed to be the root CA.
# This means the root CA needs to be self signed for 'verify' to work.
openssl verify -CAfile 'RootCert.pem' -untrusted 'Intermediate.pem' 'UserCert.pem'
# Check SSL connections.
# All the certificates (including the intermediate ones) should be displayed.
# CA certificates bundle on Linux: '/etc/ssl/certs/ca-certificates.crt'.
# '-servername' is used to specify a domain for multi-domain servers.
openssl s_client -connect 'www.google.com:443' -showcerts
openssl s_client … -servername 'host.fqdn'
openssl s_client … -CAfile 'ca/certificates/bundle.crt'
openssl s_client … -CApath '/etc/ssl/certs'
# Print out the MD5 hash of public keys.
openssl req -noout -modulus -in 'request.csr' | openssl md5
openssl rsa -noout -modulus -in 'private.key' | openssl md5
openssl x509 -noout -modulus -in 'certificate.crt' | openssl md5
# Remove password protection from keys.
openssl rsa -in 'protected.key' -out 'unprotected.key'
# Protect keys with passwords.
openssl rsa -aes192 -in 'unprotected.key' -out 'protected.key'
# Print the public key corresponding to private ones.
openssl rsa -in private.pem -pubout
openssl rsa -in private.pem -pubout -out public.pem
# Convert DER-formatted files (.crt .cer .der) to the PEM format.
openssl x509 -inform 'der' -in 'certificate.cer' -out 'certificate.pem'
openssl x509 -in 'certificate.cer' -out 'certificate.pem' -outform 'pem'
# Convert PEM files to the DER format.
openssl x509 -outform 'der' -in 'certificate.pem' -out 'certificate.der'
# Convert PKCS#12 files (.pfx .p12) with private key and certificates to PEM.
# '-nocerts' outputs only the private key.
# '-nokeys' outputs only the certificates.
# '-nodes' leaves the output files unencrypted.
openssl pkcs12 -in 'keyStore.pfx' -out 'keyStore.pem' -nodes
# Convert PEM certificates and private keys to PKCS#12 (.pfx .p12).
openssl pkcs12 -export -out 'certificate.pfx' \
-inkey 'privateKey.key' -in 'certificate.crt' \
-certfile 'cacert.crt'
# Create bundles.
# Mind the file order.
cat 'server.crt' 'intermediate1.crt' 'intermediateN.crt' 'rootca.crt'
```
## Create a self signed certificate
```sh
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
```
To make it **not** ask for a password, add the `-nodes` option.
To avoid answering the questions (for automation), add `-subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com"`:
```sh
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=NL/ST=Nederlands/L=Amsterdam/O=Mek Net/OU=Org/CN=mek.info"
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=NL/ST=Nederlands/L=Amsterdam/O=Mek Net/OU=Org/CN=mek.info"
Generating a 4096 bit RSA private key
..............................................................................................................................................................................................................................++
...........................................................................................................................................................................++
writing new private key to 'key.pem'
-----
$ ls
key.pem cert.pem
```
## Display the contents of a SSL certificate
```sh
# if PEM formatted
$ openssl x509 -in cert.pem -text
# if DER formatted
$ openssl x509 -in cert.der -inform der -text
```
```txt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:ac:32:b7:cd:42:3f:e3:05:48:36:ed:84:fc:56:b8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=bed8ecc9-ae31-40b9-bb27-448ec91dd6f4
Rq4HD9Ap8Ew1r9ttTeECig==
-----END CERTIFICATE-----
```
## Troubleshooting
### Code 20: unable to get local issuer certificate
An `openssl s_client -connect` attempt fails with this error message:
```txt
CONNECTED(00000003)
depth=0 C = US, CN = server.fqdn
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, CN = server.fqdn
verify error:num=21:unable to verify the first certificate
verify return:1
---
SSL-Session:
Verify return code: 21 (unable to verify the first certificate)
---
closed
```
See also [OpenSSL unable to verify the first certificate for Experian URL] and [Verify certificate chain with OpenSSL].
One or more certificates in the certificate chain is not valid, self-signed or simply was not provided by either the server or the client (if a client certificate is needed).<br />
This could also mean that the root certificate is not in the local database of trusted root certificates, which could have been not given to, or queried by, OpenSSL.
A well configured server sends the entire certificate chain during the handshake, therefore providing all the necessary intermediate certificates; servers for which the connection fails might be providing only the end entity certificate.
OpenSSL is **not** capable of getting missing intermediate certificates on-the-fly, so a `s_client -connect` attempt could fail where a full-fledge browser, able to discover certificates, would succeed on the same URL.
You can:
- either make the server send the entire certificate chain
- or pass the missing certificates to OpenSSL as client-side parameters using the '-CApath' or '-CAfile' options.
### Code 21: unable to verify the first certificate
The certificate chain is broken.<br />
This error is somewhat generic, and a previous error message might be telling more about the problem.
See [code 20](#code-20-unable-to-get-local-issuer-certificate).
## Further readings
- [OpenSSL commands to check and verify your SSL certificate, key and CSR]
- [The most common OpenSSL commands]
- [Create a self signed certificate]
- [Display the contents of a SSL certificate]
- [Check SSL certificate chain with OpenSSL examples]
## Sources
All the references in the [further readings] section, plus the following:
- [How to generate a self-signed SSL certificate using OpenSSL]
- [OpenSSL unable to verify the first certificate for Experian URL]
- [Verify certificate chain with OpenSSL]
- [How to put domain correctly in CSR?]
<!--
References
-->
<!-- In-article sections -->
[further readings]: #further-readings
<!-- Others -->
[check ssl certificate chain with openssl examples]: https://www.howtouselinux.com/post/certificate-chain
[create a self signed certificate]: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl#10176685
[display the contents of a ssl certificate]: https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/
[how to generate a self-signed ssl certificate using openssl]: https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl#10176685
[how to put domain correctly in csr?]: https://www.namecheap.com/support/knowledgebase/article.aspx/9641/2290/how-to-put-domain-correctly-in-csr/
[openssl commands to check and verify your ssl certificate, key and csr]: https://www.ibm.com/support/pages/openssl-commands-check-and-verify-your-ssl-certificate-key-and-csr
[openssl unable to verify the first certificate for experian url]: https://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url
[the most common openssl commands]: https://www.sslshopper.com/article-most-common-openssl-commands.html
[verify certificate chain with openssl]: https://www.itsfullofstars.de/2016/02/verify-certificate-chain-with-openssl/
Reference in New Issue View Git Blame Copy Permalink