Tuesday, November 19, 2013

OpenSSL commands every PKI expert should know

Let's face it, OpenSSL is the number one toolkit for any PKI expert when it comes to dissecting and manipulating files such as CSRs, certificates, PKCS#12 keystores, asymmetric keys etc. We use it all the time when developing EJBCA, Open Source PKI.

Using openssl is not always the easiest task in the world, but there are a number of commands that I find myself using over and over again. So much that I can almost type them in my sleep.

Parsing certificates

Reading X.509 certificates in PEM format:
openssl x509 -in cert.pem -text

Reading X.509 certificates in DER format:
openssl x509 -inform DER -in cert.der -text

Converting X.509 certificates from DER to PEM:
openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem

You can also add parameters to only output specific fields, like certificate serial number, public key etc. I rarely use those though, I just dump the cert and look at the whole thing.

Parsing certificate signing requests (CSRs)

Reading a CSR in PEM format:
openssl req -in req.pem -text

Reading a CSR in DER format:
openssl req -inform DER -in req.pem -text

Converting a CSR from DER to PEM:
openssl req -inform DER -in req.der -outform PEM -out req.pem

Parsing pure ASN.1

Sometimes you really want to see the nitty gritty details of a certificate or CSR, to find out what encoding is used in the DN, how the extensions look, what order fields actually are in the file etc.

openssl asn1parse -in cert.pem

add the dump parameter to dump the (unknown) contents of sequences:
openssl asn1parse -in cert.pem -dump

Generating certificate signing requests (CSRs)

To generate a new key pair and a certificate request, for example for getting a certificate for an apache server:
openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key

Check the private key:
openssl rsa -in cesecore2013.key -check

When generating CSRs you can add a lot of options to put in the CSR, like Subject Alternative names, certificate purposes, OCSP URLs etc. When creating CSRs to be sent to a CA this is normally not needed. The CA will populate all the fields for you, and normally ignore any additional fields that you specify (a real CA have no reason to trust arbitrary input from you). If you are generating your own self-signed certificates however, this may be of interest. 
Kevin McArthur has written a nice blog post how to work with OpenSSL to create certificates and CSRs. It's a bit outdated, but Kevin may update it.

Parsing PKCS#12 keystores

Reading a PKCS#12 file, giving output with encrypted private key in PEM format:
openssl pkcs12 -in superadmin.p12

Reading a PKCS#12 file, output with unencrypted private key:
openssl pkcs12 -in superadmin.p12 -nodes

The following commands are useful for splitting a PKCS#12 file up into PEM components (for example for an apache server or for manual sign/verify operations):

Reading a PKCS#12 file, outputing only the certificate to a file:
openssl pkcs12 -in server.p12 -nodes -nokeys -clcerts -out server.pem

Reading a PKCS#12 file, outputing only the private key to a file:
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.priv

Reading the cert, extracting the public key in RSA format:
openssl x509 -in server.pem -pubkey -noout > server.pub

Signing and verifying large files

Signing of large files are done by making a digest (hash) of the file and then signing the hash:
openssl dgst -sign superadmin.key -sha1 file.txt > file.txt.sign

Verification of a file is done by verifying the signed hash (extracting the original hash) and comparing that to a newly calculated hash of the file:
openssl dgst -verify superadmin.pubkey -signature file.txt.sign -sha1 file.txt

See also Code signing over in the EJBCA Admin Guide.


I have previously written about cmpforopenssl. This is a great tool for using the CMP protocol.
You can read more about cmpforopenssl and EJBCA in the EJBCA Admin Guide.


A popular openssl command for me is the OCSP request command. I use this to test OCSP responders all the time:

openssl ocsp -issuer Test-CA.pem -CAfile Test-CA.pem -cert Test.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp

The tricky thing here is if you have an external OCSP responder, i.e. not requesting directly from the CA, then you must have the right combination of -CAfile and chain commands in order for the verification to succeed without having openssl claim that issuer is not trusted. The above command is perfect if you are requesting directly from the CA...

TLS client

You can test TLS/SSL servers using OpenSSL's s_client command. This is great for debugging TLS connections. It will show you the certificates used by the server and the accepted CA certificates sent by the server when asking for client certificate authentication. It can also be used to see the cipher suites negotiated.
openssl s_client -debug -msg -connect servername:443 > debug-log.txt < /dev/null

Converting between JKS and PKCS#12 (not using openssl)

Another old popular blog post I wrote was about converting between JKS and P12 using simple java commands, keytool.

Remove MS CSP information from a PKCS12/PFX

George L wrote an interesting comment on LinkedIn.
It's about MS adding CSP information when exporting a PKCS12 files, and this can cause errors when importing it into other versions of Windows. He provided a cool script that removes this information, using openssl.

----------------- removeCSP.bat --------------
@echo off
rem make sure you've got openssl and grep either in your path or in the same directory as the batch file
set /p pass=Please enter keystore password:
cd /d "%~dp0"
openssl pkcs12 -in "%~f1" -nodes -passin pass:"%pass%" | grep -v Microsoft | openssl pkcs12 -export -out "%~f1".new.pfx -passout pass:"%pass%"
echo Conversion complete.
------------------ removeCSP.bat --------------


Marcus Lundblad said...

Some other nice tools are gcr-viewer (part of GNOME keyring) can be invoked by double-clicking .p12 files in Nautilus or invoked from CLI. Quite nice to "browse" keystores graphically.
And then we also have the dumpasn1 CLI tool to view raw ASN.1 data. It's quite handy to disect things...

Jaime Hablutzel said...

Broken link at http://ejbca.org/adminguide.html#Interoperability

tomas said...

Thanks. The proper link is:

(Google doesn't let me edit the post right now...)