MKY's wiki

Narzędzia użytkownika

Narzędzia witryny

Ślad: openssl
software:openssl

Spis treści

OpenSSL

Tworzenie certyfikatu self-signed

Konfig OpenSSL-a (wyedytuj wg. uznania): 

cat > ssl.conf <<EOF
[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
 
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = PL
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Poland
localityName                = Locality Name (eg, city)
localityName_default        = Warsaw
organizationName            = Organization Name (eg, company)
organizationName_default    = None Inc.
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = localhost
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = localhost
DNS.2 = localhost.localdomain
EOF

Wklejka do generowania: 

openssl genrsa -out localhost.key 4096
openssl req -new -sha256 -batch -key localhost.key -out localhost.csr -config ssl.conf
openssl x509 -req -days 3650 -in localhost.csr -signkey localhost.key -out localhost.crt -extensions req_ext -extfile ssl.conf

Ustawianie/usuwanie hasła z klucza

openssl rsa -des -in localhost.key -out localhost.key.enc
openssl rsa -in localhost.key.enc -out localhost.key

Weryfikacje

Sprawdzanie certyfikatu

openssl x509 -in localhost.crt -text -noout

Jeśli mamy podpisany przez CA: 

openssl verify -CAfile CA.pem localhost.crt

Sprawdzanie pary: certyfikat + klucz

W obu przypadkach wartość modulus powinna być taka sama: 

openssl x509 -noout -modulus -in localhost.crt
openssl rsa -noout -modulus -in localhost.key

Sprawdzanie Seriala, odcisków MD5 i SHA256

Serial: 

openssl x509 -noout -serial -in localhost.crt

Odcisk MD5: 

openssl x509 -noout -fingerprint -in localhost.crt

Odcisk SHA256: 

openssl x509 -noout -fingerprint -sha256 -in localhost.crt

Konwersja

DER -> PEM

openssl x509 -inform der -in localhost.der -out localhost.pem

PKCS#12 -> PEM

Wynikiem będzie zestaw certyfikatów i klucza w jednym pliku PEM. 

openssl pkcs12 -nodes -in keyStore.p12 -out keyStore.pem

PEM -> DER

openssl x509 -outform der -in localhost.pem -out localhost.der

PEM -> PKCS#12

openssl pkcs12 -export -inkey localhost.key -in localhost.pem -certfile ca.pem -out certificate.p12

Credits

https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96

software/openssl.txt · ostatnio zmienione: 2018/08/05 18:42 przez mky