OpenSSL Notes

-

Creating/Modifying

Generate a new private key

openssl genrsa -out example.key 2048

Remove a passphrase from a private key

openssl rsa -in example.key -out new_example.key

Generate a new private key and CSR (certificate signing request)

openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout example.key

Generate a self-signed SSL certificate

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt

Generate a CSR using an existing private key

openssl req -out example.csr -key example.key -new

Generate a CSR based on an existing certificate

openssl x509 -x509toreq -in example.crt -out example.csr -signkey example.key

Generate a CSR with multiple Subject Alternative Names (SANs)

Create a config file:

[req]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = New York
L = New York
O = Secure Corp, LLC
OU = IT
CN = host.securecorp.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = other-host.securecorp.com
DNS.2 = best-host.securecorp.com
DNS.3 = worst-host.securecorp.com

Generate the key and CSR simultaneously:

openssl req -new -newkey rsa:2048 -nodes -sha256 -config csr_details.conf -keyout example.key -out example.csr

Checking Existing Keys/CSRs/Certificates

Display CSR contents

openssl req -text -noout -verify -in example.csr

Check a private key

openssl rsa -in example.key -check

Display a certificate's contents

openssl x509 -in example.crt -text -noout

Extract a PEM certificate from a PKCS7 file

openssl pkcs7 -print_certs -in source.p7b -out certificate.crt

Confirm that a key and certificate match

(openssl x509 -noout -modulus -in example.crt |openssl md5;openssl rsa -noout -modulus -in example.key |openssl md5) | uniq | wc -l

(A result of 1 means they match, 2 means they don't)

You can also check a CSR with:

openssl req -noout -modulus -in example.csr |openssl md5

Debugging site SSL certificate installation

Check an SSL connection. All the certificates (including intermediates) should be displayed

echo | openssl s_client -servername www.example.com -connect www.example.com:443

Show certificate details from a web server

echo | openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -noout -text

Comments

Post a Comment

Popular posts from this blog

SSH Private Keys - RSA vs. OpenSSH

-
It would seem that ssh-keygen on OS X Mojave generates OpenSSH Private Keys instead of the traditional RSA Private Keys. While on the surface this is not a problem at all, it recently created a problem for us in combination with our use of the net-ssh Ruby gem, specifically that only RSA Private Keys are supported by this particular version of the gem, unless other dependencies are explicitly installed. So there would appear to be two solutions to this problem. First, we could update the net-ssh gem or discover/install whatever other dependencies are required to support OpenSSH Private Keys. Option two is to convert the existing private key from OpenSSH to RSA. The man page for ssh-keygen is helpful, but not nearly clear enough for this use case, so I'm documenting it here because I'm sure it'll come back to bite me again in the future. Assuming ~/.ssh/id_rsa starts with: -----BEGIN OPENSSH PRIVATE KEY----- Run ssh-keygen -p -m PEM -f ~/.ssh/id_rsa and you will
Read more

Google Wifi and Verizon FiOS

-
Image
There are a bunch of articles spread around the internet about how to best use Google Wifi and Verizon FiOS together. The concepts are really applicable to any case where you want to replace the Verizon FiOS router with your own, while still retaining full TV functionality (Guide, On-Demand, Remote DVR access, On-Screen Caller ID, etc). My experience drew heavily from several sources, including http://www.dslreports.com/faq/16077 , https://robotpoweredhome.com/google-nest-wifi-verizon-fios/ , and https://www.arhea.net/posts/2020-01-012-fios-own-router.html . My ultimate goal was to completely remove the Verizon FiOS router (in my case, a G1100), while retaining full functionality. The gist of what my setup looks like is below: The components involved here are: FiOS ONT (Optical Network Terminal) Google Wifi Points Any unmanaged 10/100/1000 Ethernet Switch (you decide how many ports you need) MOCA Bridge (Actiontec WCB3000) FiOS TV One DVR (Arris VMS4100) FiOS TV Set Top Boxes (Arris
Read more