Contents of Articles:
Introduction
In this article, we delve into the realm of OpenSSL, an open-source cryptographic package designed for SSL/TLS operations. Whether you're a seasoned IT professional or just getting started, these useful OpenSSL commands will empower you to navigate the intricacies of certificate management with confidence.
OpenSSL is an open-source cryptographic package for SSL/TLS operations.
- CRT (Certificate)
- KEY (Key)
- CSR (Certificate Signing Request)
- DH (Diffie-Hellman Key)
- PKCS#12 (PFX, P12) - Certificate with Private Key
- DER - Binary Certificate Type
- PEM - Base64 Certificate Type
- P7B (PKCS#7) - Certificate Chain
- DKIM (DomainKeys Identified Mail) - Email Authentication Method
- RSA (Rivest–Shamir–Adleman) - Public Key Cryptosystem
Generation
Install OpenSSL on Debian:
sudo apt-get install openssl
Generate Private Key (4096 bits):
openssl genrsa -out server.key 4096
Generate CSR and Key Pair (2048 bits):
openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key
Generate CSR for an existing Key:
openssl req -out server.csr -key server.key -new
Generate CSR for existing CRT and Key:
openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key
Generate Self-Signed CRT for one year:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt
Generate v3 CRT for one year:
openssl x509 -days 365 -in myCSR.csr -extfile v3.ext -CA myCA.crt -CAkey myCA.key -CAcreateserial -out userCertificate.crt
Example v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
Order of Certificates in a File:
- Server Certificate
- Intermediate Certificate
- Root Certificate
cat server.crt > server.pem
cat intermediate.crt >> server.pem
cat ca.crt >> server.pem
Generate DH parameters:
openssl dhparam -out dhparam.pem 2048
Verification
Verify CSR:
openssl req -text -noout -verify -in server.csr
verify OK
Verify Key:
openssl rsa -in server.key -check
RSA key OK
Verify Public Key:
openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout
Read CRT:
openssl x509 -in server.crt -text -noout
Read CSR:
openssl req -in server.csr -noout -text
Verification of CSR and KEY Correspondence
The hashes of the certificate and key must match.
openssl x509 -noout -modulus -in server.crt | md5sum
openssl rsa -noout -modulus -in server.key | md5sum
Verification of Matching CSR and CRT
The hashes of the certificate and the signing request must match.
openssl x509 -noout -modulus -in server.crt | md5sum
openssl req -noout -modulus -in server.csr | md5sum
PKCS#12 Verification
openssl pkcs12 -info -in server.p12
Display All Certificates
openssl s_client -connect internet-lab.ru:443
Conversion
DER to PEM Conversion
openssl x509 -inform der -in server.cer -out server.pem
PEM to DER Conversion
openssl x509 -outform der -in server.pem -out server.der
PKCS#12 to PEM Conversion
openssl pkcs12 -in server.pfx -out server.pem -nodes
PEM to PKCS#12 Conversion
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt
Export
Exporting Public Key from Private Key
openssl rsa -in privkey.pem -pubout > key.pub
Exporting Public Key from Private CRT (Certificate)
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
Additional Commands
Removing Password from Private Key
openssl rsa -in server.pem -out newserver.pem
List of Revoked Serial Numbers
openssl crl -inform DER -text -noout -in list.crl
File Encryption using rsautl
openssl rsautl -encrypt -in plaintext.txt -out encrypted.txt -pubin -inkey pubkey.pem
File Decryption using rsautl
openssl rsautl -decrypt -in encrypted.txt -out plaintext.txt -inkey privkey.pem
Elevate your server infrastructure without breaking the bank. At Newserverlife, we not only provide top-quality refurbished servers but also offer peace of mind with our commitment to reliability and performance.
Specialists of our company are ready to help you purchase the server and select the necessary server configuration for any required task.
