SSL: Difference between revisions

From miki
Jump to navigation Jump to search
No edit summary
Line 6: Line 6:
* Given a file, how can recognize its type?
* Given a file, how can recognize its type?


== How-to ==
== Split PKCS#12 certificate into CA / Cert / Private key ==

=== Split PKCS#12 certificate into CA / Cert / Private key ===
Use <code>openssl pkcs12</code> to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces '''PEM''' files [http://wiki.yobi.be/wiki/CAcert].
Use <code>openssl pkcs12</code> to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces '''PEM''' files [http://wiki.yobi.be/wiki/CAcert].


Line 17: Line 19:
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]).
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]).


== Checking Certificate Chain with OpenSSL ==
=== Checking Certificate Chain with OpenSSL ===
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]


== Change .p12 / .pfx password ==
=== Change .p12 / .pfx password ===
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password:
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password:
<source lang=bash>
<source lang=bash>
Line 29: Line 31:
</source>
</source>


== Extract key from .p12/ .pfx ==
=== Extract key from .p12/ .pfx ===
* <code>openssl pkcs12</code> takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with <code>openssl rsa</code>. The PEM may contain either private key, certificates, root certificates or even public keys.
* <code>openssl pkcs12</code> takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with <code>openssl rsa</code>. The PEM may contain either private key, certificates, root certificates or even public keys.
<source lang=bash>
<source lang=bash>
Line 37: Line 39:
</source>
</source>


== Query a public key certificate ==
=== Query a public key certificate ===
<source lang=bash>
<source lang=bash>
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName
Line 44: Line 46:
</source>
</source>


== Generate a new self-signed SSL certificate for Apache server ==
=== Generate a new self-signed SSL certificate for Apache server ===
See [[Apache]].
See [[Apache]].


== Accept self-signed certificates (bypass browser warning) ==
=== Accept self-signed certificates (bypass browser warning) ===
;Internet Explorer
;Internet Explorer
* Click on the ''error certificate'' icon in address bar,
* Click on the ''error certificate'' icon in address bar,
Line 53: Line 55:
* then click ''Install certificate...''.
* then click ''Install certificate...''.
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode).
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode).

== Certificate authorities ==
=== Import CA on android ===
* Browse to the file, and click on it to import.
* Go to ''Settings &rarr; Security &rarr; Trusted credentials''. User-added CA certificates appears in the ''User'' panel.

Revision as of 17:32, 9 June 2016

Links

Questions

  • What are file types .crt, .pem, .key
  • Given a file, how can recognize its type?

How-to

Split PKCS#12 certificate into CA / Cert / Private key

Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].

openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem

Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see Linux Admin).

Checking Certificate Chain with OpenSSL

Checking A Remote Certificate Chain With OpenSSL

Change .p12 / .pfx password

Say you have a private key / certificate file mycert.pfx, and you want to change its password:

# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes         # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem                                               # DON'T FORGET THIS!

Extract key from .p12/ .pfx

  • openssl pkcs12 takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with openssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes  # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem                     # To extract the modulus
openssl rsa -noout -text -in mycert.pem                        # To extract all the fields

Query a public key certificate

openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject       # Query certificate name. Must match Apache ServerName
# For instance:
#   subject= /C=BE/ST=BBW/L=Brussels/O=immie.org/CN=www.immie.org

Generate a new self-signed SSL certificate for Apache server

See Apache.

Accept self-signed certificates (bypass browser warning)

Internet Explorer
  • Click on the error certificate icon in address bar,
  • Cick View certificates,
  • then click Install certificate....
  • Server public certificate must be imported in the Trusted Root Certification Authorities (and *not* in Intermediate CA which is chosen in automatic mode).

Certificate authorities

Import CA on android

  • Browse to the file, and click on it to import.
  • Go to Settings → Security → Trusted credentials. User-added CA certificates appears in the User panel.