Openssl
From wikinotes
A cryptography toolkit for SSL/TLS.
Documentation
wiki https://wiki.openssl.org/index.php/Command_Line_Utilities man openssl https://manpages.debian.org/buster/openssl/openssl.1ssl.en.html
Locations
/etc/ssl/certs/*.pem
trusted root CA certs (and hash symlinks) /etc/ssl/certs/ca-certificates.crt
root-CA bundle (archlinux) /usr/local/share/certs/ca-root-nss.crt
root-CA bundle (FreeBSD, requires ca_root_nss
)
Install
pkg install openssl # freebsd pacman -S openssl # archlinux
Usage
general
openssl list -help # list available help openssl list -public-key-algorithms # or -commands, -digest-algorithms, ... (see manpage) openssl $STDCMD -help # documentation about standard-command openssl req -noout -text -in website.csr # show CSR openssl x509 -noout -text -in website.pem # show certprivate key
Generate private key
openssl list -public-key-algorithms # list avail algorithms openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out private-key.pem # RSA (encrypted w/ passprhase) openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out private-key.pem # RSA (non encrypted) openssl genpkey -algorithm x25519 -out file.key # X25519 openssl genpkey -algorithm ED25519 -out file.key # ED25519 openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out file.key # ECDSAPublic key of private key
openssl pkey -in private-key.pem -out public-key.pem -puboutcertificate-signing-request
See also SSL certificate authority.
# show CSR openssl req -noout -text -in website.csr # create CSR (-config optional) openssl req -new -key website.key -out website.csr -config server_cert.cnfcertificate
# show certficiate openssl x509 -in certificate.crt -text -noout # expiry date openssl x509 -in certificate.crt -noout -enddate # certificate from CSR (-extfile optional) openssl x509 -req \ -in website.com.csr \ -CA CA.pem \ -CAkey CA.key \ -CAcreateserial \ -out website.com.crt \ -days 365 \ -sha256 \ -extfile my.website.csr.cnf # self signed certificate openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt # certificate fingerprint openssl x509 -noout -in znc.pem -fingerprint -sha512 | sed 's/://g' # fingerprint normally omits ':' char # check cert is trusted (according to your OS trusted CA certs) openssl verify website.crt
Trust a Root CA cert
NOTE:
.pem and .crt both refer to certificates
FreeBSD
This is generally what most tools are performing under the hood.
# add cp root-ca.crt /etc/ssl/certs/root-ca.crt chmod 644 /etc/ssl/certs/root-ca.crt chown root:wheel /etc/ssl/certs/root-ca.crt ln -s /etc/ssl/certs/root-ca.crt $(openssl x509 -noout -hash -in /etc/ssl/certs/root-ca.crt).0Archlinux
# list/search trusted certs trust list trust list | grep -C5 "label: ${YOUR_CN}" # check if your pem/crt is present # add trust anchor root-ca.crt # remove trust anchor --remove 'pkcs11:id=%AA%BB$CC%DD%EE;type=cert' # remove using id trust anchor --remove /path/to/cert # remove using certfileDebian
# add cp root-ca.crt /usr/local/share/ca-certificates/ update-ca-certificates # remove rm /usr/local/share/ca-certificates/root-ca.crt update-ca-certificates --freshCentOS
# add cat root-ca.crt >> /etc/pki/tls/certs/ca-bundle.crtMacOS
# add sudo security add-trusted-cert \ -d -r trustRoot \ -k /Library/Keychains/System.keychain \ ~/root-ca.crt # remove sudo security delete-certificateWindows
# add certutil -addstore -f "ROOT" root-ca.crt # remove certutil -delstore "ROOT"
Troubleshooting
Connection Troubleshooting
openssl comes with a very nice tool to help you test connections:
openssl s_client -connect website.com:443 # test connection (until auth)Custom Root CA not used
If openssl can find your cert, but your tool cannot it may be useful to try this:
https://homepage.ruhr-uni-bochum.de/jan.holthuis/posts/using-burpsuite-with-qutebrowser
certutil -d "sql:$HOME/.pki/nssdb" -A -i mycert.pem -n "wiki" -t C,,