3 posts

OpenSSL Cheat Sheat

I know I know, there are plenty of openssl cheat sheets out there already((http://www.sslshopper.com/article-most-common-openssl-commands.html))((https://github.com/stanzgy/wiki/blob/master/network/openssl-self-signed-certs-cheatsheet.md)). But as I keep using googling it again and again to find the most useful openssl commands I decided to do my own – the first version of the blog entries is already 3 years old actually. Another reason for creating the list is that I remember things better when I am writing the down.

Show contents of a certificate (( https://knowledge.symantec.com/support/identity-protection-support/index?page=content&id=SO28771&actp=RSS&viewlocale=en_US ))

openssl x509 -fingerprint -sha256 -noout -text -in domain.com.crt

Show contents of a certificate request (CSR)

openssl req -text -noout -verify -in CSR.csr

OpenSSL HTTPS Client with SNIĀ (( https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/ ))

openssl s_client -connect roman.pertl.name:443 -servername roman.pertl.name

Generate a CSR to send to an external CA

openssl req -new -newkey rsa:2048 -sha256 -nodes -out roman.pertl.org.csr  -keyout roman.pertl.org.key  -subj "/C=US/ST=NY/L=NY/O=Roman Pertl/OU=Hostmaster/CN=roman.pertl.org"

Generate a Self-Signed SSL Certificate

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Newer versions of browsers e.g. Chrome require to set the DNS alt attribute instead/additional of the CN field: ((https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58/845788))

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -sha256 -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.pertl.org')) -keyout pertl.org.key -out pertl.org.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=*.pertl.org"

Generate a Self-Signed CA Root Certificate

openssl req -nodes -newkey rsa:4096 -x509 -sha256 -days 3650 -keyout rootCA.key -reqexts v3_req -extensions v3_ca -out rootCA.crt -subj "/C=AT/ST=Korneuburg/L=Korneuburg/O=Pertl/OU=Hostmaster/CN=pertl CA"

Generate custom dh param file

openssl dhparam -out domain.at.dhparam 4096

Java SSL Certificate Verification Error

If you come across the situation, that your java programs are not able to connect to ssl encrypted services, it might be most likely that the java cacerts keystore is empty or not uptodate. This might also be due to a bug in the java (or ca-certificate-java) package ((https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/1396760)). In order to fix the issue, you can run:

sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure