Root certificate is not a part of bundle, and should be configured as a trusted on your machine. Verify certificate, when you have intermediate certificate chain. Verify certificate, provided that you have root and any intemediate certificates configured as trusted on your machine: Openssl req -noout -modulus -in example.csr | openssl sha256 Openssl x509 -noout -modulus -in example.crt | openssl sha256 Openssl rsa -noout -modulus -in example.key | openssl sha256 Verify that private key matches a certificate and CSR: Openssl x509 -in cert.pem -fingerprint -sha256 -noout Verify CSRs or certificates Print certificate’s fingerprint as md5, sha1, sha256 digest: Openssl x509 -in example.crt -text -noout Print textual representation of the certificate Openssl x509 -req -in child.csr -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -out child.crt If you were a CA company, this shows a very naive example of how you could issue new certificates. Sign child certificate using your own “CA” certificate and it’s private key. Openssl x509 -req -in example.csr -signkey example.key -out example.crt -days 365 Openssl req -nodes -newkey rsa:2048 -keyout example.key -out example.crt -x509 -days 365Ĭreate a self signed certificate using existing CSR and private key: Where req.conf: prompt=nodefault_md = sha256distinguished_name = dnreq_extensions = req_ext CN= DNS.1=DNS.2=Create X.509 certificatesĬreate self-signed certificate and new private key from scratch: Openssl req -new -key example.key -out example.csr -config req.conf Generate a CSR for multi-domain SAN certificate by supplying an openssl config file: Openssl x509 -x509toreq -in cert.pem -out example.csr -signkey example.key
Openssl req -nodes -newkey rsa: -keyout example.key -out example.csr -subj "/C=UA/ST=Kharkov/L=Kharkov/O=Super Secure Company/OU=IT Department/CN="Ĭreate a CSR from existing certificate and private key: Provide CSR subject info on a command line, rather than through interactive prompt. Openssl req -nodes -newkey rsa: -keyout example.key -out example.csr Openssl req -new -key example.key -out example.csr -Ĭreate a CSR and a private key without a pass phrase in a single command:
It’s better to avoid weak functions like md5 and sha1, and stick to sha256 and above. In the commands below, replace with the name of the supported hash function: md5, sha1, sha224, sha256, sha384 or sha512, etc. Openssl dhparam -out dhparams.pem Create certificate signing requests (CSR) List available EC curves, that OpenSSL library supports: Openssl ec -in example.ec.key -text -noout Openssl ecparam -genkey -name | openssl ec -out example.ec.key curve is to be replaced with: prime256v1, secp384r1, secp521r1, or any other supported elliptic curve: Openssl rsa -des3 -in example.key -out example_with_pass.key Openssl rsa -in example.key -out example.keyĮncrypt existing private key with a pass phrase: If the key has a pass phrase, you’ll be prompted for it: Openssl genrsa -aes256 -out example.key Ĭheck your private key. Generate new RSA key and encrypt with a pass phrase based on AES CBC 256 encryption: Openssl rsa -in example.key -noout -modulus In the commands below, replace with the key size (For example, 2048, 4096, 8192).
For example, I skip encryption and decryption, or using openssl for CA management. Surely, this is not a complete list, but it covers the most common use cases and includes those I’ve been working with.
OPENSSL VERIFY CERTIFICATE HOW TO
man pages are not so helpful here, so often we just Google “openssl how to ” or look for some kind of “openssl cheatsheet” to recall the usage of a command and see examples. OpenSSL includes tonnes of features covering a broad range of use cases, and it’s difficult to remember its syntax for all of them and quite easy to get lost. When it comes to security-related tasks, like generating keys, CSRs, certificates, calculating digests, debugging TLS connections and other tasks related to PKI and HTTPS, you’d most likely end up using the OpenSSL tool.
0 kommentar(er)
