OpenSSL Cheat Sheat

I know I know, there are plenty of openssl cheat sheets out there already1)http://www.sslshopper.com/article-most-common-openssl-commands.html2)https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md. But as I keep using googling it again and again to find the most useful openssl commands I decided to do my own – the first version of the blog entries is already 3 years old actually. Another reason for creating the list is that I remember things better when I am writing the down.

Show contents of a certificate 3) https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US

openssl x509 -fingerprint -sha256 -noout -text -in domain.com.crt

Show contents of a certificate request (CSR)

openssl req -text -noout -verify -in CSR.csr

OpenSSL HTTPS Client with SNIĀ 4) https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/

openssl s_client -connect roman.pertl.name:443 -servername roman.pertl.name

Generate a CSR to send to an external CA

openssl req -new -newkey rsa:2048 -sha256 -nodes -out roman.pertl.org.csr  -keyout roman.pertl.org.key  -subj "/C=US/ST=NY/L=NY/O=Roman Pertl/OU=Hostmaster/CN=roman.pertl.org"

Generate a Self-Signed SSL Certificate

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Newer versions of browsers e.g. Chrome require to set the DNS alt attribute instead/additional of the CN field: 5)https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788
6)https://deliciousbrains.com/https-locally-without-browser-privacy-errors/

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.pertl.org')) -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Generate a Self-Signed CA Root Certificate

openssl req -nodes -newkey rsa:4096 -x509 -sha256 -days 3650 -keyout rootCA.key -reqexts v3_req -extensions v3_ca -out rootCA.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=pertl CA"

Generate custom dh param file

openssl dhparam -out domain.at.dhparam 4096

References   [ + ]

1. http://www.sslshopper.com/article-most-common-openssl-commands.html
2. https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md
3. https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US
4. https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
5. https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788
6. https://deliciousbrains.com/https-locally-without-browser-privacy-errors/

Comments are closed.