Sunday, March 24, 2013

General OpenSSL Commands

General OpenSSL Commands

These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.
  • Generate a new private key and Certificate Signing Request 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info) 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key 
    openssl req -out CSR.csr -key privateKey.key -new
  • Generate a certificate signing request based on an existing certificate 
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
  • Remove a passphrase from a private key 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.
  • Check a Certificate Signing Request (CSR) 
    openssl req -text -noout -verify -in CSR.csr
  • Check a private key 
    openssl rsa -in privateKey.key -check
  • Check a certificate 
    openssl x509 -in certificate.crt -text -noout
  • Check a PKCS#12 file (.pfx or .p12) 
    openssl pkcs12 -info -in keyStore.p12
     
    openssl rsa -in 2013.admin-test-cer1b-pipB.sanoj.com.key -modulus -noout | openssl md5 --key
    724427f3ae344132c0284b3ceb16e481
    openssl req -in 2013.admin-test-cer1b-pipB.pipB.sanoj.com.csr -modulus -noout | openssl md5 --csr
    724427f3ae344132c0284b3ceb16e481
    openssl x509 -in 2013.admin-test-cer1b-pipB.pipB.sanoj.com.crt -modulus -noout | openssl md5 --crt
    724427f3ae344132c0284b3ceb16e481 
     

Debugging Using OpenSSL

If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.
  • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
  • Check an SSL connection. All the certificates (including Intermediates) should be displayed 
    openssl s_client -connect www.paypal.com:443



openssl req -new -nodes -newkey rsa:2048 -subj "/CN=sanoj.com /O=Sanoj  Corporation/C=US/ST=North Carolina/L=Charlotte" -keyout /var/tmp/sanoj.com.key -out /var/tmp/sanoj.csr




Posted by at

1 comment:

Subscribe to: Post Comments (Atom)