Date created: Thursday, October 11, 2012 6:19:15 PM. Last modified: Monday, December 25, 2023 11:39:03 AM
Notes on SSL Certs
Pull the certificate change from a HTTPS server ("-showcerts" pulls the certificate data, remove it to just get the certificate names):
</dev/null openssl s_client \
-connect rest-test.db.ripe.net:443 \
-showcerts \
-servername rest-test.db.ripe.net > /tmp/rest-test.db.ripe.net.txt
Generate self-singed certs for Nginx:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_dhparam /etc/ssl/certs/dhparam.pem;
Split a PKCS #12 public and private key pair (*.pfx file) into two files; a public key file, and a private key file;
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain.key
The first command extracts the public key to domain.cer.
The second command extracts the private key to domain.key.
Back the other way
openssl pkcs12 -inkey domain.key -in domain.cer -export -out domain.pfx
Convert private key into RSA key
openssl rsa -in domain.com.key -out domain.com.key-rsa
Place the public and private RSA key parts together into a new file (domain.pem) for SSL use such as with Pound Proxy, in the following order (Typically the Root CA Cert is not required!);
-----BEGIN RSA PRIVATE KEY----- ... ... Private RSA key ... -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... ... Public key cert ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ... Intermediate issuers cert ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ... Root CA cert ... -----END CERTIFICATE-----
touch doamin.com.pem cat domain.com.key-rsa > domain.com.pem cat domain.com.cer >> domain.com.pem cat intermediate-ca.crt >> domain.com.pem
Certifitcate file types
.csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats. .pem This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs) .key This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong. .pkcs12 .pfx .p12 A passworded container format that contains both public and private certificate pairs. .der Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority. .cert .cer .crt A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not. .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.
Online SSL Checker (for HTTPS):
https://comodosslstore.com/checksslcertificate.aspx
https://www.ssllabs.com/ssltest/
Previous page: MPLS VPN Security 102 - VPLS Label Injections
Next page: Web Anonymity