Differences between revisions 2 and 11 (spanning 9 versions)
Revision 2 as of 2009-06-27 20:22:46
Size: 2834
Editor: SamatJain
Comment:
Revision 11 as of 2014-06-24 15:27:39
Size: 5352
Editor: SamatJain
Comment: Note about how to concatenate intermediate certificates
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== Poor man's benchmark ==

Quick way to compare processing power of CPUs.

{{{#!highlight sh numbers=off
openssl speed sha1
}}}

To test whether the CPU and installed version of OpenSSL can work with crypto acceleration (i.e. AES-NI):

{{{#!highlight sh numbers=off
openssl speed aes-256-cbc
openssl speed -evp aes-256-cbc
}}}

throughput should be faster (bigger numbers) with the second command.
Line 7: Line 24:
{{{#!highlight sh numbers=off
# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem
}}}

$DOMAIN.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache.

== Create certificate request w/ SubjectAltName fields ==

SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.

Create a configuration file, $DOMAIN.conf:
Line 8: Line 40:
openssl req -nodes -new -keyout blah.key.pem -out blah.req.pem
}}}

blah.key.pem will act as an `SSLCertificateKeyFile` for mod_ssl in Apache
cat > $DOMAIN.conf << EOF

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = New York City
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name
commonName_default = $DOMAIN
commonName_max = 64

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = www.$DOMAIN

EOF
}}}

Then use this configuration file to create a CSR:

{{{#!highlight sh numbers=off
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf
}}}
Line 15: Line 76:
{{{#!highlight sh numbers=off
openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem
}}}

== Generate key ==

{{{#!highlight sh numbers=off
# RSA key
openssl genrsa -out $DOMAIN.key.pem 4096
# EC key (using prime256v1 curve)
openssl ecparam -out $DOMAIN.key.pem -name prime256v1 -genkey
}}}

== Display certificate information ==

{{{#!highlight sh numbers=off
# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text
}}}

== Creating a PEM file for servers ==

{{{#!highlight sh numbers=off
cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem
}}}

Used by courier-imap, etc.

If there are intermediate certificates, those must be concatenated AFTER the other certificates.

== Creating a PKCS12-format file ==

{{{#!highlight sh numbers=off
openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"
}}}

Used for creating certificates used in e-mail clients and web browsers

== Signing e-mails ==

{{{#!highlight sh numbers=off
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem
}}}

= Certificate Authority stuff =

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

== Create CA certificate ==

{{{#!highlight sh numbers=off
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
}}}

== Export CA certificate in DER format ==

{{{#!highlight sh numbers=off
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
}}}

Used by web browsers.

== Revoke certificate ==

{{{#!highlight sh numbers=off
openssl ca -revoke $DOMAIN.crt.pem
}}}

== Generate Certificate Revocation List (CRL) ==

{{{#!highlight sh numbers=off
openssl ca -gencrl -out crl/$DOMAIN-CA.crl
}}}

== Sign Certificate Request ==

{{{#!highlight sh numbers=off
openssl ca -out blah.crt.pem -in $DOMAIN.req.pem
}}}

blah.crt.pem acts as `SSLCertificateFile` for Apache

== Create Diffie-Hoffman Parameters for Current CA ==

{{{#!highlight sh numbers=off
openssl dhparam -out $DOMAIN-CA.dhp.pem 1536
}}}

== Create self-signed certificate from generated key ==

{{{#!highlight sh numbers=off
openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem
}}}

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

= Command-line tricks =

== Simple file encryption ==

{{{#!highlight sh numbers=off
openssl enc -bf -A -in file_to_encrypt.txt
}}}

== Simple file decryption ==

{{{#!highlight sh numbers=off
openssl enc -bf -d -A -in file_to_encrypt.txt
}}}

= Verify hosts =
Line 16: Line 191:
openssl x509 -subject -dates -fingerprint -in blah.key.pem
}}}

== Generate key ==

{{{#!highlight sh
openssl genrsa -out blah.key.pem
}}}

== Display certificate information ==

{{{#!highlight sh
openssl x509 -in blah.crt.pem -noout -text
}}}

== Creating a PEM file for servers ==

{{{#!highlight sh
cat blah.key.pem blah.crt.pem blah.dhp.pem > blah.pem
}}}

Used by courier-imap, etc.

== Creating a PKCS12-format file ==

{{{#!highlight sh
openssl pkcs12 -export -in blah.crt.pem -inkey blah.key.pem -out blah.p12 -name "Bill Gates"
}}}

Used for creating certificates used in e-mail clients and web browsers

== Signing e-mails ==

{{{#!highlight sh
openssl smine -sign -in msg.txt -text -out msg.encrypted -signer blah.crt.pem -inkey blah.key.pem
}}}

= Certificate Authority stuff =

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

== Create CA certificate ==

{{{#!highlight sh
openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650
}}}

== Export CA certificate in DER format ==

{{{#!highlight sh
openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt
}}}

Used by web browsers.

== Revoke certificate ==

{{{#!highlight sh
openssl ca -revoke blah.crt.pem
}}}

== Generate Certificate Revocation List (CRL) ==

{{{#!highlight sh
openssl ca -gencrl -out crl/hotnudiegirls.com-CA.crl
}}}

== Sign Certificate Request ==

{{{#!highlight sh
openssl ca -out blah.crt.pem -in blah.req.pem
}}}

blah.crt.pem acts as `SSLCertificateFile` for Apache

== Create Diffie-Hoffman Parameters for Current CA ==

{{{#!highlight sh
openssl dhparam -out hotnudiegirls.com-CA.dhp.pem 1536
}}}

== Create self-signed certificate from generated key ==

{{{#!highlight sh
openssl req -new -x509 -key blah.key.pem -out blah.crt.pem
}}}

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

= Command-line tricks =

== Simple file encryption ==

{{{#!highlight sh
openssl enc -bf -A -in file_to_encrypt.txt
}}}

== Simple file decryption ==

{{{#!highlight sh
openssl enc -bf -d -A -in file_to_encrypt.txt
}}}
# IMAP
openssl s_client -connect localhost:993 -quiet > /dev/null
# SMTP
openssl s_client -connect localhost:465 -quiet > /dev/null
# HTTP
echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null
}}}

Depth (first line) should be 2, with a return value of 0.

End-user stuff

Poor man's benchmark

Quick way to compare processing power of CPUs.

openssl speed sha1

To test whether the CPU and installed version of OpenSSL can work with crypto acceleration (i.e. AES-NI):

openssl speed aes-256-cbc
openssl speed -evp aes-256-cbc

throughput should be faster (bigger numbers) with the second command.

Create certificate request/unsigned key

# Create a key at the same time
openssl req -nodes -new -keyout $DOMAIN.key.pem -out $DOMAIN.csr.pem
# Use an existing key
openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem

$DOMAIN.key.pem will act as an SSLCertificateKeyFile for mod_ssl in Apache.

Create certificate request w/ SubjectAltName fields

SubjectAltName fields let a certificate apply to more than 1 domain. Unfortunately, OpenSSL does not allow to create these easily from the command line.

Create a configuration file, $DOMAIN.conf:

   1 cat > $DOMAIN.conf << EOF
   2 
   3 [req]
   4 distinguished_name = req_distinguished_name
   5 req_extensions = req_ext
   6 
   7 [req_distinguished_name]
   8 countryName = Country Name (2 letter code)
   9 countryName_default = US
  10 stateOrProvinceName = State or Province Name (full name)
  11 stateOrProvinceName_default = New York
  12 localityName = Locality Name (eg, city)
  13 localityName_default = New York City
  14 organizationalUnitName = Organizational Unit Name (eg, section)
  15 commonName = Common Name
  16 commonName_default = $DOMAIN
  17 commonName_max = 64
  18 
  19 [req_ext]
  20 subjectAltName = @alt_names
  21 
  22 [alt_names]
  23 DNS.1   = $DOMAIN
  24 DNS.2   = www.$DOMAIN
  25 
  26 EOF

Then use this configuration file to create a CSR:

openssl req -nodes -new -key $DOMAIN.key.pem -out $DOMAIN.csr.pem -config $DOMAIN.conf

Show key fingerprint

openssl x509 -subject -dates -fingerprint -in $DOMAIN.key.pem

Generate key

# RSA key
openssl genrsa -out $DOMAIN.key.pem 4096
# EC key (using prime256v1 curve)
openssl ecparam -out $DOMAIN.key.pem -name prime256v1 -genkey

Display certificate information

# For a certificate signing request
openssl req -text -noout -in $DOMAIN.csr.pem
# For a generated certificate
openssl x509 -in $DOMAIN.crt.pem -noout -text

Creating a PEM file for servers

cat $DOMAIN.key.pem $DOMAIN.crt.pem $DOMAIN.dhp.pem > $DOMAIN.pem

Used by courier-imap, etc.

If there are intermediate certificates, those must be concatenated AFTER the other certificates.

Creating a PKCS12-format file

openssl pkcs12 -export -in $DOMAIN.crt.pem -inkey $DOMAIN.key.pem -out blah.p12 -name "Bill Gates"

Used for creating certificates used in e-mail clients and web browsers

Signing e-mails

openssl smine -sign -in msg.txt -text -out msg.encrypted -signer $DOMAIN.crt.pem -inkey $DOMAIN.key.pem

Certificate Authority stuff

When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired.

Create CA certificate

openssl req -new -x509 -keyout private/something-CA.key.pem -out ./something-CA.crt.pem -days 3650

Export CA certificate in DER format

openssl x509 -in something-CA.crt.pem -outform der -out something-CA.crt

Used by web browsers.

Revoke certificate

openssl ca -revoke $DOMAIN.crt.pem

Generate Certificate Revocation List (CRL)

openssl ca -gencrl -out crl/$DOMAIN-CA.crl

Sign Certificate Request

openssl ca -out blah.crt.pem -in $DOMAIN.req.pem

blah.crt.pem acts as SSLCertificateFile for Apache

Create Diffie-Hoffman Parameters for Current CA

openssl dhparam -out $DOMAIN-CA.dhp.pem 1536

Create self-signed certificate from generated key

openssl req -new -x509 -key $DOMAIN.key.pem -out $DOMAIN.crt.pem

Use only when you've no CA and will only be generating one key/certificate (useless for anything that requires signed certificates on both ends)

Command-line tricks

Simple file encryption

openssl enc -bf -A -in file_to_encrypt.txt

Simple file decryption

openssl enc -bf -d -A -in file_to_encrypt.txt

Verify hosts

   1 # IMAP
   2 openssl s_client -connect localhost:993 -quiet > /dev/null
   3 # SMTP
   4 openssl s_client -connect localhost:465 -quiet > /dev/null
   5 # HTTP
   6 echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

Depth (first line) should be 2, with a return value of 0.


CategoryCheatSheet

SamatsWiki: CheatSheet/OpenSSL (last edited 2020-05-04 22:20:10 by SamatJain)