Daily Archives: January 24, 2018

1 post

OpenSSL Cheat Sheat

I know I know, there are plenty of openssl cheat sheets out there already((http://www.sslshopper.com/article-most-common-openssl-commands.html))((https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md)). But as I keep using googling it again and again to find the most useful openssl commands I decided to do my own – the first version of the blog entries is already 3 years old actually. Another reason for creating the list is that I remember things better when I am writing the down.

Show contents of a certificate (( https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US ))

openssl x509 -fingerprint -sha256 -noout -text -in domain.com.crt

Show contents of a certificate request (CSR)

openssl req -text -noout -verify -in CSR.csr

OpenSSL HTTPS Client with SNIĀ (( https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/ ))

openssl s_client -connect roman.pertl.name:443 -servername roman.pertl.name

Generate a CSR to send to an external CA

openssl req -new -newkey rsa:2048 -sha256 -nodes -out roman.pertl.org.csr  -keyout roman.pertl.org.key  -subj "/C=US/ST=NY/L=NY/O=Roman Pertl/OU=Hostmaster/CN=roman.pertl.org"

Generate a Self-Signed SSL Certificate

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Newer versions of browsers e.g. Chrome require to set the DNS alt attribute instead/additional of the CN field: ((https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788))

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.pertl.org')) -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Generate a Self-Signed CA Root Certificate

openssl req -nodes -newkey rsa:4096 -x509 -sha256 -days 3650 -keyout rootCA.key -reqexts v3_req -extensions v3_ca -out rootCA.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=pertl CA"

Generate custom dh param file

openssl dhparam -out domain.at.dhparam 4096