Using openssl is not always the easiest task in the world, but there are a number of commands that I find myself using over and over again. So much that I can almost type them in my sleep.
Parsing certificates
Reading X.509 certificates in PEM format:openssl x509 -in cert.pem -text
Reading X.509 certificates in DER format:
openssl x509 -inform DER -in cert.der -text
Converting X.509 certificates from DER to PEM:
Reading a CSR in DER format:
openssl x509 -inform DER -in cert.der -outform PEM -out cert.pemYou can also add parameters to only output specific fields, like certificate serial number, public key etc. I rarely use those though, I just dump the cert and look at the whole thing.
Parsing certificate signing requests (CSRs)
Reading a CSR in PEM format:openssl req -in req.pem -text
Reading a CSR in DER format:
openssl req -inform DER -in req.pem -text
Converting a CSR from DER to PEM:
openssl req -inform DER -in req.der -outform PEM -out req.pem
Parsing pure ASN.1
Sometimes you really want to see the nitty gritty details of a certificate or CSR, to find out what encoding is used in the DN, how the extensions look, what order fields actually are in the file etc.
openssl asn1parse -in cert.pem
add the dump parameter to dump the (unknown) contents of sequences:
openssl asn1parse -in cert.pem -dump
Generating certificate signing requests (CSRs)
To generate a new key pair and a certificate request, for example for getting a certificate for an apache server:
openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key
Check the private key:
openssl rsa -in cesecore2013.key -check
When generating CSRs you can add a lot of options to put in the CSR, like Subject Alternative names, certificate purposes, OCSP URLs etc. When creating CSRs to be sent to a CA this is normally not needed. The CA will populate all the fields for you, and normally ignore any additional fields that you specify (a real CA have no reason to trust arbitrary input from you). If you are generating your own self-signed certificates however, this may be of interest.Kevin McArthur has written a nice blog post how to work with OpenSSL to create certificates and CSRs. It's a bit outdated, but Kevin may update it.
Parsing PKCS#12 keystores
Reading a PKCS#12 file, giving output with encrypted private key in PEM format:
openssl pkcs12 -in superadmin.p12
Reading a PKCS#12 file, output with unencrypted private key:
openssl pkcs12 -in superadmin.p12 -nodes
The following commands are useful for splitting a PKCS#12 file up into PEM components (for example for an apache server or for manual sign/verify operations):
Reading a PKCS#12 file, outputing only the certificate to a file:
openssl pkcs12 -in server.p12 -nodes -nokeys -clcerts -out server.pem
Reading a PKCS#12 file, outputing only the private key to a file:
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.priv
Reading the cert, extracting the public key in RSA format:
openssl x509 -in server.pem -pubkey -noout > server.pub
Signing and verifying large files
Signing of large files are done by making a digest (hash) of the file and then signing the hash:
openssl dgst -sign superadmin.key -sha1 file.txt > file.txt.sign
Verification of a file is done by verifying the signed hash (extracting the original hash) and comparing that to a newly calculated hash of the file:
openssl dgst -verify superadmin.pubkey -signature file.txt.sign -sha1 file.txt
See also Code signing over in the EJBCA Admin Guide.Cmpforopenssl
I have previously written about cmpforopenssl. This is a great tool for using the CMP protocol.You can read more about cmpforopenssl and EJBCA in the EJBCA Admin Guide.
OCSP
A popular openssl command for me is the OCSP request command. I use this to test OCSP responders all the time:
openssl ocsp -issuer Test-CA.pem -CAfile Test-CA.pem -cert Test.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
The tricky thing here is if you have an external OCSP responder, i.e. not requesting directly from the CA, then you must have the right combination of -CAfile and chain commands in order for the verification to succeed without having openssl claim that issuer is not trusted. The above command is perfect if you are requesting directly from the CA...
TLS client
You can test TLS/SSL servers using OpenSSL's s_client command. This is great for debugging TLS connections. It will show you the certificates used by the server and the accepted CA certificates sent by the server when asking for client certificate authentication. It can also be used to see the cipher suites negotiated.
openssl s_client -debug -msg -connect servername:443 > debug-log.txt < /dev/null
openssl s_client -debug -msg -connect servername:443 > debug-log.txt < /dev/null
Converting between JKS and PKCS#12 (not using openssl)
Another old popular blog post I wrote was about converting between JKS and P12 using simple java commands, keytool.
Remove MS CSP information from a PKCS12/PFX
George L wrote an interesting comment on LinkedIn.
It's about MS adding CSP information when exporting a PKCS12 files, and this can cause errors when importing it into other versions of Windows. He provided a cool script that removes this information, using openssl.
It's about MS adding CSP information when exporting a PKCS12 files, and this can cause errors when importing it into other versions of Windows. He provided a cool script that removes this information, using openssl.
----------------- removeCSP.bat --------------
@echo off
rem make sure you've got openssl and grep either in your path or in the same directory as the batch file
set /p pass=Please enter keystore password:
cd /d "%~dp0"
openssl pkcs12 -in "%~f1" -nodes -passin pass:"%pass%" | grep -v
Microsoft | openssl pkcs12 -export -out "%~f1".new.pfx -passout
pass:"%pass%"
echo Conversion complete.
pause
------------------ removeCSP.bat --------------
Some other nice tools are gcr-viewer (part of GNOME keyring) can be invoked by double-clicking .p12 files in Nautilus or invoked from CLI. Quite nice to "browse" keystores graphically.
ReplyDeleteAnd then we also have the dumpasn1 CLI tool to view raw ASN.1 data. It's quite handy to disect things...
Broken link at http://ejbca.org/adminguide.html#Interoperability
ReplyDeleteThanks. The proper link is:
ReplyDeletehttp://ejbca.org/docs/adminguide.html#Interoperability
(Google doesn't let me edit the post right now...)