OpenSSL
From Dogtag
Contents
- 1 OpenSSL Configuration
- 2 Keys
- 3 Generating Certificate Request
- 4 Generating Self-Signed CA Certificate
- 5 Issuing End-Entity Certificate
- 6 Displaying Certificate Request
- 7 Displaying Certificate Info
- 8 Displaying PKCS #12 File
- 9 Importing Certificate and Key into PKCS #12 File
- 10 Exporting Certificate and Key from PKCS #12 File
- 11 Exporting Key from PKCS #12 File
- 12 Exporting Certificate from PKCS #12 File
- 13 Exporting CA Certificate from PKCS #12 File
- 14 Exporting Certificate Chain from PKCS #12 File
- 15 Creating PKCS #7 Certificate Chain
- 16 Displaying PKCS #7 Certificate Chain
- 17 Displaying PEM Certificate Chain
- 18 Conversions
- 19 Decoding Certificate
- 20 SSL
- 21 Ciphers
- 22 Revocation
- 23 References
OpenSSL Configuration
HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ ca ] default_ca = CA_default [ CA_default ] default_days = 1000 default_crl_days = 30 default_md = sha256 preserve = no x509_extensions = ca_extensions email_in_dn = no copy_extensions = copy #################################################################### [ req ] default_bits = 4096 default_keyfile = cakey.pem distinguished_name = ca_distinguished_name x509_extensions = ca_extensions string_mask = utf8only #################################################################### [ ca_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Maryland localityName = Locality Name (eg, city) localityName_default = Baltimore organizationName = Organization Name (eg, company) organizationName_default = Test CA, Limited organizationalUnitName = Organizational Unit (eg, division) organizationalUnitName_default = Server Research Department commonName = Common Name (e.g. server FQDN or YOUR name) commonName_default = Test CA emailAddress = Email Address emailAddress_default = test@example.com
CA Extensions
[ ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
Keys
Generating a Key
To generate RSA key:
$ openssl genrsa -out testuser.key 2048 $ openssl rsa -in testuser.key -pubout -out testuser.pub
To generate ECC key:
$ openssl ecparam -name secp256k1 -genkey -noout -out testuser.key $ openssl ec -in testuser.key -pubout -out testuser.pub
Displaying Key Info
$ openssl rsa -noout -text -in testuser.key
Generating Certificate Request
To generate a certificate request with a new key:
$ openssl req -newkey rsa:2048 -keyout testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365
To generate a certificate request with an existing key:
$ openssl req -key testuser.key -nodes -new -out testuser.csr -subj "/UID=testuser/O=Example" -days 365
To generate a certificate request with SAN, prepare a configuration file (e.g. san.cnf):
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] organizationName = Example commonName = server.example.com [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = www.example.com DNS.2 = www.example.org
Then execute the following command:
$ openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cnf
Generating Self-Signed CA Certificate
$ openssl genrsa -out ca.key 2048 $ openssl req -new -x509 -key ca.key -out ca.crt -subj "/CN=Certificate Authority/O=EXAMPLE"
Issuing End-Entity Certificate
$ openssl x509 -req -in testuser.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out testuser.crt
Displaying Certificate Request
$ openssl req -text -noout -in ca.csr Certificate Request: Data: Version: 0 (0x0) Subject: CN=CA Certificate, O=Example Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c6:5a:73:8b:e6:9b:f6:4e:36:88:c6:d4:f9:74: 94:81:3d:75:0e:da:83:f1:13:a5:ff:cb:8b:1a:1a: 14:a1:68:a5:bf:42:78:03:75:74:a8:91:99:a2:bd: 25:62:b7:e9:83:e9:26:e2:0f:f0:6f:17:f2:2b:a4: 45:c8:17:fa:fd:4d:a2:68:6c:01:15:50:03:19:ca: 01:97:23:ab:31:64:d9:eb:64:09:73:25:36:92:f7: 2f:16:7b:56:3d:f8:b8:5f:88:60:7e:42:98:95:d6: 90:57:30:9d:f4:e9:35:98:70:3f:30:d6:91:8e:75: 98:d1:c9:ca:85:ce:f2:d6:b1:7f:74:1f:74:98:01: 36:c7:69:8c:2a:b8:21:c8:15:ff:5a:a2:7c:18:1d: 1e:76:b2:c0:32:43:09:21:6a:c5:86:7c:1e:a4:7d: db:6f:5e:d3:ac:dc:20:4f:db:af:fa:8d:c8:6b:74: 70:74:c6:42:9a:a9:47:08:0a:36:39:81:0e:e8:ba: 89:2f:97:1e:db:da:63:89:40:75:31:e7:b3:53:67: fe:76:07:8f:c9:0a:8d:fd:0a:f6:bd:fd:96:75:bb: d3:ee:68:8f:51:93:a1:fd:d0:c7:e8:50:7a:f7:66: 85:ec:0a:a4:b5:20:14:98:c4:6d:ab:69:65:30:31: f8:1f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 03:cd:f3:47:9a:8a:14:3d:0a:8e:09:be:62:f8:89:b1:65:86: 6b:bf:fc:7f:85:9e:a7:71:b6:6e:ea:9e:94:e4:16:95:93:fa: 69:cf:a2:4f:79:5b:3d:e8:65:36:36:a8:7a:0c:69:68:47:6b: 15:b2:2a:49:ae:e2:83:3c:98:bb:7e:2b:13:fa:bc:08:13:a7: 44:0e:dc:64:5b:a4:a9:90:42:d6:52:74:8c:42:7c:15:56:8e: 53:4f:f2:08:14:de:73:33:83:8e:c6:58:1e:f8:51:aa:a3:12: e5:7f:63:09:db:be:80:1d:0f:5f:c1:1a:a0:83:2e:67:0a:be: e4:21:cd:e1:63:5e:2c:58:85:f6:75:94:fc:68:52:a6:38:3d: 75:25:2f:89:56:e7:95:dd:9b:1f:ed:8a:f4:d2:f9:d5:1c:43: 89:57:eb:3d:77:fa:ac:27:5f:ad:20:dc:e6:28:8b:aa:54:fb: 4f:f9:d1:6f:dd:73:c6:29:28:b7:bf:9c:38:23:35:8e:de:da: 2e:4d:ed:e9:e2:16:f1:cd:38:9f:86:03:49:d3:a4:d6:bc:6c: 22:9b:7e:c0:82:b4:b6:60:77:a7:a3:d8:d5:c3:fc:64:81:43: e4:1e:52:04:4e:8c:cf:1b:a7:0f:43:24:6c:8f:a5:55:ed:bd: db:7f:08:74
Displaying Certificate Info
To display PEM certificate:
$ openssl x509 -text -noout -in testuser.crt
To display DER certificate:
$ openssl x509 -text -noout -in testuser.crt -inform der
The output will look like the following:
Certificate: Data: Version: 1 (0x0) Serial Number: f5:8c:f2:55:9a:5a:13:01 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CA Certificate, O=Example Validity Not Before: Jun 13 22:51:06 2016 GMT Not After : Jul 13 22:51:06 2016 GMT Subject: UID=testuser, O=Example Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ab:92:66:0c:96:3f:43:93:65:3f:52:67:19:e5: 40:74:1d:85:ba:a8:e2:8c:f9:fd:cd:25:36:94:77: b1:24:10:1f:23:58:f7:38:3d:2a:e0:23:bf:3d:d3: fa:c3:6a:55:d6:ac:46:8c:14:56:f2:0a:a2:a1:0a: 0f:eb:ee:64:ec:85:c2:df:f1:0a:1f:73:12:98:da: fa:d6:72:d5:26:f3:45:d5:9b:dd:34:5b:8a:6b:23: 92:2a:31:9c:db:f0:1e:a4:13:08:ad:5a:86:29:aa: 17:86:b3:da:83:de:b5:7b:65:4d:12:f9:d5:2f:45: 29:66:0f:ac:8c:83:63:52:17:be:9e:43:50:d9:2f: 55:74:a8:a9:ee:53:17:2d:ff:2c:6b:25:df:cb:6d: fb:3f:f4:e1:ba:83:34:b2:be:93:46:92:7b:66:f4: f9:9f:5e:fd:04:5e:81:db:cb:43:36:b3:2d:f5:0a: 38:19:c0:c0:0e:68:cc:80:67:b4:12:68:6c:04:28: e1:96:15:78:55:5f:8d:f2:52:ed:82:60:95:7a:41: f9:36:84:bc:0b:5d:39:ed:7e:63:89:20:ed:e2:ae: a0:1c:35:b3:a3:d0:1d:34:e8:f1:51:76:e2:78:6b: 4a:21:46:64:b5:aa:b2:8d:63:5c:fd:7d:09:da:46: fc:d5 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 27:61:d8:f2:79:1e:fd:91:3b:e9:db:51:fe:42:74:0c:dc:94: b9:fc:7b:1c:c5:4a:87:25:1c:43:fc:ca:64:87:4e:21:0e:22: 31:ef:92:03:f4:de:fb:5b:2e:ba:8b:35:b7:2b:52:4b:f6:d5: c4:83:f6:f5:ef:cc:f1:15:d5:67:75:ad:8b:77:be:5a:21:fb: 30:e1:71:d2:5d:4f:db:65:7f:38:ae:4d:7b:25:60:d1:5e:19: 24:c5:67:49:18:08:bc:5c:64:06:2d:5a:84:25:af:cd:5f:a0: 5d:9c:d8:69:9a:50:e9:a0:ff:8f:c2:46:7d:2e:5c:3a:b9:a8: 18:fb:d2:1b:06:92:92:b9:b8:ca:0c:c2:2e:94:b5:e2:2a:18: ce:fe:e8:32:fe:ae:cd:d5:5c:f8:ff:24:6a:dd:5e:7b:f2:24: 2c:01:80:f8:af:95:09:30:81:51:a7:60:fc:ff:c5:df:f7:3e: fa:1e:32:d3:c3:ff:9d:0c:5c:1e:eb:30:d6:0b:23:50:3a:ad: 57:8d:7c:26:f7:dd:f1:10:bd:65:0a:dd:02:6f:83:54:35:23: 76:b4:1b:63:18:1b:97:0e:3c:3a:de:88:fe:c6:14:e7:5f:e0: 52:b5:c3:d3:82:8f:d7:50:11:ee:b1:cb:5c:a4:e6:67:01:88: bc:63:41:2e
Displaying PKCS #12 File
$ openssl pkcs12 -in example.p12 -passin file:password.txt -passout file:password.txt
Importing Certificate and Key into PKCS #12 File
$ openssl pkcs12 -export \ -in ca_signing.crt \ -inkey ca_signing.key \ -out example.p12 \ -name "CA Signing Certificate" \ -passout file:password.txt
Exporting Certificate and Key from PKCS #12 File
$ openssl pkcs12 \ -in example.p12 \ -passin file:password.txt \ -out testuser.pem \ -nodes
Exporting Key from PKCS #12 File
$ openssl pkcs12 \ -in example.p12 \ -passin file:password.txt \ -out ca_signing.key \ -nodes \ -nocerts
Exporting Certificate from PKCS #12 File
$ openssl pkcs12 \ -in example.p12 \ -passin file:password.txt \ -out ca_signing.crt \ -clcerts \ -nokeys
Exporting CA Certificate from PKCS #12 File
$ openssl pkcs12 \ -in example.p12 \ -passin file:password.txt \ -out ca_signing.crt \ -cacerts \ -nokeys
Exporting Certificate Chain from PKCS #12 File
$ openssl pkcs12 \ -in example.p12 \ -passin file:password.txt \ -out ca_signing.crt \ -nokeys
Creating PKCS #7 Certificate Chain
$ openssl crl2pkcs7 -nocrl -certfile rootca.crt -certfile subca.crt -out cert_chain.p7b $ cat cert_chain.p7b -----BEGIN PKCS7----- MIIHdgYJKoZIhvcNAQcCoIIHZzCCB2MCAQExADALBgkqhkiG9w0BBwGgggdJMIID qDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhBTVBM RTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4MDUw OTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEkMCIG A1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1QbU4p 3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxfz63k PnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUTxDVP Ihl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk/lWT AsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21CSSf SnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4MFUG CCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMuaWRt LmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQWBBR4 YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D+w9D nSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0B AQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WKKHAT wly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcpBZaR RrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85qIdRa 5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMKeZfZ 1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaSrYMJ P4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8zCCA5kwggKBoAMCAQICAhySMA0GCSqG SIb3DQEBCwUAMDgxEDAOBgNVBAoTB0VYQU1QTEUxJDAiBgNVBAMTG1Jvb3QgQ0Eg U2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xODA1MDkyMjQ3NTdaFw0xODA4MDkyMjQ3 NTdaMD8xEDAOBgNVBAoTB0VYQU1QTEUxKzApBgNVBAMTIlN1Ym9yZGluYXRlIENB IFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCs94tJZQuEAwOpLH9PeHLgZw7cxL+HpzAcyjCYQLxOLOHo0ruEgbzMCpBP ALssIgpKi0eTUI/g8jSYXZy0v36U4bToOJnpky/29dK621/38xSiNwNq1suXPeCi Rtko5PKqO1MM2SbnvY07eybsYn1W1FrPkWtCbeWSpfi2PZItfsTJsKfrJCHbYE6M FWCxzinGmUUGyJWp0UW2gN/us3r5kEzTql4N047Dr2DvgsWSn0OCNLSad5704v2p gVmuCS/9HvVyKxeaAZg/5A/0NdsQa2F3rg/F4bfkTXORwcin28K16jnoZjVWAtbL ryVvu0JL2yJ8EQKIa4aaocnHyzg7AgMBAAGjgaUwgaIwVQYIKwYBBQUHAQEESTBH MEUGCCsGAQUFBzABhjlodHRwOi8vdm0tMDY2LmFiYy5pZG0ubGFiLmVuZy5icnEu cmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwHQYDVR0OBBYEFCOu4EdmNg6xkNAUtzs3 nlKDAetHMAkGA1UdIwQCMAAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC AcYwDQYJKoZIhvcNAQELBQADggEBAEdTH8CXVA+nItPe8DjAm/6NuewQtC6ziOWT wboj4LdJkSorbTkyFzNI4P6aaCH4Gl18Ig3Dr5fFiI3AbeIJ1MChCUqUAG46kboN XopnHtlAxCj1ZGle+7scEkbpta3eFRwJ7FwhP8R627RDoaTIkcnHttle3tYEj6Zd dMYH+c6Vkyd+8W1xODzVBAKB60GPQeU5GPPiWUzzeQlRVS5KcTPeSftORCwRJTfJ iKfMFmU4UBoeQFPYjoLaexBsiyvOg4WgDdveZ96oDEa4lOzoAXd9KGpiqjLsJOry 0jtmXkbZESZGANQxUOv2L1clBuUs9YfSDL/cCUK/JnHFiNS6/6KhADEA -----END PKCS7-----
Displaying PKCS #7 Certificate Chain
$ openssl pkcs7 -print_certs -in cert_chain.p7b subject=/O=EXAMPLE/CN=Root CA Signing Certificate issuer=/O=EXAMPLE/CN=Root CA Signing Certificate -----BEGIN CERTIFICATE----- MIIDqDCCApCgAwIBAgICBGgwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4 MDUwOTIyNDYxNFoXDTE4MDgwOTIyNDYxNFowODEQMA4GA1UEChMHRVhBTVBMRTEk MCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDarLmDOZFaub7/sEwFbGatR2or4WmuJFI1Q bU4p3Xf/5rMJz5hANuRmWurK68+peeZ7KctfgwJrFTT65RfQdnslKkb8jtlifIxf z63kPnZmNtJmDVu5rK/iwiMJFCAx36J1y7vwjp2HGQ2A3a3Y1RL7gKHHRzbTPZUT xDVPIhl1T+kOJNXZ95MQTEw9pJgj3Fx6N1kjcWeJ2S9Il81WAL3tCs26uC/rNqYk /lWTAsBmsJUWEgDQfCLNtV/gmZ+IKe9j8lTEmU2dxPj5PcF5TpNId7iwP6LX6J21 CSSfSnDeaGV5AojwFbqa3dB5m3+t8FfRaYeuOkxln3jA7vetywIDAQABo4G7MIG4 MFUGCCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAYY5aHR0cDovL3ZtLTA2Ni5hYmMu aWRtLmxhYi5lbmcuYnJxLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMB0GA1UdDgQW BBR4YQK+UlGV9/m5JR+D+w9DnSyeADAfBgNVHSMEGDAWgBR4YQK+UlGV9/m5JR+D +w9DnSyeADAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG 9w0BAQsFAAOCAQEAmcKj74hsHzVdpDzAsLdYAOZxmT36Qgp0Dsa5vZ246d/D22WK KHATwly83MHY+H8aieBNRpyMVs1i98jX44ZS/7SACWi8HnkITF/NAuuaL+AGCLcp BZaRRrndOix8ywOAMMIXgXeYqZo+LOQRXELwrOljMcUsYPmvRBXDqWK5U0H4y85q IdRa5Jbx3H1DbCz9OJts9IxDtV4ilIJhu1379Lzebiq7sAPFHVIXZxgMgEO1FaMK eZfZ1JFOKWeS+Af/4+jj1Oncme7+apfmxDxhgFQBeAPW01tl8MYteRSdJpcSiNaS rYMJP4uRkuG65Z2AgV+OqqBPIyJICvZyah4A8w== -----END CERTIFICATE----- subject=/O=EXAMPLE/CN=Subordinate CA Signing Certificate issuer=/O=EXAMPLE/CN=Root CA Signing Certificate -----BEGIN CERTIFICATE----- MIIDmTCCAoGgAwIBAgICHJIwDQYJKoZIhvcNAQELBQAwODEQMA4GA1UEChMHRVhB TVBMRTEkMCIGA1UEAxMbUm9vdCBDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE4 MDUwOTIyNDc1N1oXDTE4MDgwOTIyNDc1N1owPzEQMA4GA1UEChMHRVhBTVBMRTEr MCkGA1UEAxMiU3Vib3JkaW5hdGUgQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKz3i0llC4QDA6ksf094cuBnDtzE v4enMBzKMJhAvE4s4ejSu4SBvMwKkE8AuywiCkqLR5NQj+DyNJhdnLS/fpThtOg4 memTL/b10rrbX/fzFKI3A2rWy5c94KJG2Sjk8qo7UwzZJue9jTt7JuxifVbUWs+R a0Jt5ZKl+LY9ki1+xMmwp+skIdtgTowVYLHOKcaZRQbIlanRRbaA3+6zevmQTNOq Xg3TjsOvYO+CxZKfQ4I0tJp3nvTi/amBWa4JL/0e9XIrF5oBmD/kD/Q12xBrYXeu D8Xht+RNc5HByKfbwrXqOehmNVYC1suvJW+7QkvbInwRAohrhpqhycfLODsCAwEA AaOBpTCBojBVBggrBgEFBQcBAQRJMEcwRQYIKwYBBQUHMAGGOWh0dHA6Ly92bS0w NjYuYWJjLmlkbS5sYWIuZW5nLmJycS5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAd BgNVHQ4EFgQUI67gR2Y2DrGQ0BS3OzeeUoMB60cwCQYDVR0jBAIwADAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAQEAR1Mf wJdUD6ci097wOMCb/o257BC0LrOI5ZPBuiPgt0mRKittOTIXM0jg/ppoIfgaXXwi DcOvl8WIjcBt4gnUwKEJSpQAbjqRug1eimce2UDEKPVkaV77uxwSRum1rd4VHAns XCE/xHrbtEOhpMiRyce22V7e1gSPpl10xgf5zpWTJ37xbXE4PNUEAoHrQY9B5TkY 8+JZTPN5CVFVLkpxM95J+05ELBElN8mIp8wWZThQGh5AU9iOgtp7EGyLK86DhaAN 295n3qgMRriU7OgBd30oamKqMuwk6vLSO2ZeRtkRJkYA1DFQ6/YvVyUG5Sz1h9IM v9wJQr8mccWI1Lr/og== -----END CERTIFICATE-----
Displaying PEM Certificate Chain
$ openssl crl2pkcs7 -nocrl -certfile cert_chain.pem | openssl pkcs7 -print_certs -text -noout
Conversions
Converting CSR from DER to PEM
$ openssl req -inform der -in request.der -out request.pem
Converting Certificate from DER to PEM
$ openssl x509 -inform der -in cert.der -out cert.pem
Converting Certificate from PEM to DER
$ openssl x509 -outform der -in cert.pem -out cert.der
Converting Certificate Chain from PKCS #7 to PEM
$ openssl pkcs7 -print_certs -in cert_chain.p7b -out cert_chain.pem
Decoding Certificate
$ openssl asn1parse -in test.pem
$ openssl x509 -outform der -in test.pem | dumpasn1 -
SSL
$ openssl s_client -connect $HOSTNAME:8443 -tls1_2
Ciphers
To display the default ciphers:
$ openssl ciphers DEFAULT
To display all ciphers (except NULL ciphers):
$ openssl ciphers ALL
To display all ciphers (including NULL ciphers):
$ openssl ciphers 'ALL:NULL'
Revocation
To revoke a certificate:
$ openssl ca -config ca.conf -revoke testuser.crt
References
- PKCS7
- PKCS11
- PKCS12
- openssl-pkcs12
- openssl-ciphers
- How to setup your own CA with OpenSSL
- Certificate Extensions
- Creating Self-Signed CA Signing Certificate with OpenSSL
- Generating CA Signing CSR with OpenSSL
- Issuing CA Signing Certificate with OpenSSL
- Creating Self-Signed SSL Server Certificate with OpenSSL
- Generating SSL Server CSR with OpenSSL
- Issuing SSL Server Certificate with OpenSSL
- Certificate Utilities
- x509v3_config
- Tomcat SSL Ciphers
- OpenSSL Ciphers
- Generating FIPS-compliant PKCS #12 file using OpenSSL
- X509 V3 certificate extension configuration format