SSL: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 6: | Line 6: | ||
* Given a file, how can recognize its type? |
* Given a file, how can recognize its type? |
||
== How-to == |
|||
| ⚫ | |||
| ⚫ | |||
Use <code>openssl pkcs12</code> to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces '''PEM''' files [http://wiki.yobi.be/wiki/CAcert]. |
Use <code>openssl pkcs12</code> to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces '''PEM''' files [http://wiki.yobi.be/wiki/CAcert]. |
||
| Line 17: | Line 19: | ||
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]). |
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]). |
||
== Checking Certificate Chain with OpenSSL == |
=== Checking Certificate Chain with OpenSSL === |
||
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] |
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] |
||
== Change .p12 / .pfx password == |
=== Change .p12 / .pfx password === |
||
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password: |
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password: |
||
<source lang=bash> |
<source lang=bash> |
||
| Line 29: | Line 31: | ||
</source> |
</source> |
||
== Extract key from .p12/ .pfx == |
=== Extract key from .p12/ .pfx === |
||
* <code>openssl pkcs12</code> takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with <code>openssl rsa</code>. The PEM may contain either private key, certificates, root certificates or even public keys. |
* <code>openssl pkcs12</code> takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with <code>openssl rsa</code>. The PEM may contain either private key, certificates, root certificates or even public keys. |
||
<source lang=bash> |
<source lang=bash> |
||
| Line 37: | Line 39: | ||
</source> |
</source> |
||
== Query a public key certificate == |
=== Query a public key certificate === |
||
<source lang=bash> |
<source lang=bash> |
||
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName |
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName |
||
| Line 44: | Line 46: | ||
</source> |
</source> |
||
== Generate a new self-signed SSL certificate for Apache server == |
=== Generate a new self-signed SSL certificate for Apache server === |
||
See [[Apache]]. |
See [[Apache]]. |
||
== Accept self-signed certificates (bypass browser warning) == |
=== Accept self-signed certificates (bypass browser warning) === |
||
;Internet Explorer |
;Internet Explorer |
||
* Click on the ''error certificate'' icon in address bar, |
* Click on the ''error certificate'' icon in address bar, |
||
| Line 53: | Line 55: | ||
* then click ''Install certificate...''. |
* then click ''Install certificate...''. |
||
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode). |
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode). |
||
== Certificate authorities == |
|||
=== Import CA on android === |
|||
* Browse to the file, and click on it to import. |
|||
* Go to ''Settings → Security → Trusted credentials''. User-added CA certificates appears in the ''User'' panel. |
|||
Revision as of 17:32, 9 June 2016
Links
Questions
- What are file types .crt, .pem, .key
- Given a file, how can recognize its type?
How-to
Split PKCS#12 certificate into CA / Cert / Private key
Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].
openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see Linux Admin).
Checking Certificate Chain with OpenSSL
Checking A Remote Certificate Chain With OpenSSL
Change .p12 / .pfx password
Say you have a private key / certificate file mycert.pfx, and you want to change its password:
# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem # DON'T FORGET THIS!
Extract key from .p12/ .pfx
openssl pkcs12takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable withopenssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem # To extract the modulus
openssl rsa -noout -text -in mycert.pem # To extract all the fields
Query a public key certificate
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName
# For instance:
# subject= /C=BE/ST=BBW/L=Brussels/O=immie.org/CN=www.immie.org
Generate a new self-signed SSL certificate for Apache server
See Apache.
Accept self-signed certificates (bypass browser warning)
- Internet Explorer
- Click on the error certificate icon in address bar,
- Cick View certificates,
- then click Install certificate....
- Server public certificate must be imported in the Trusted Root Certification Authorities (and *not* in Intermediate CA which is chosen in automatic mode).
Certificate authorities
Import CA on android
- Browse to the file, and click on it to import.
- Go to Settings → Security → Trusted credentials. User-added CA certificates appears in the User panel.