SSL: Difference between revisions
Jump to navigation
Jump to search
| (24 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Links == |
|||
== Checking Certificate Chain with OpenSSL == |
|||
* [http://www.networking4all.com/en/support/ssl+certificates/manuals/openssl/openssl+commands/ Networking 4 All - Most used OpenSSL commands] |
|||
== Questions == |
|||
* What are file types {{file|.crt}}, {{file|.pem}}, {{file|.key}} |
|||
* Given a file, how can recognize its type? |
|||
== Basic == |
|||
;.p12 |
|||
:A PKCS#12 container. Contains a '''X509 public key certificate''' and a '''private key'''. |
|||
;.crt |
|||
:Likely only a '''public key certificate'''. |
|||
== How-to == |
|||
=== Identify a certificate / private key file === |
|||
<source lang=bash> |
|||
## Identify a .crt file |
|||
file root.crt |
|||
# root.crt: PEM certificate |
|||
## .p12 -> .crt (extract public key certificate) |
|||
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt |
|||
openssl x509 -in mycert.crt -text |
|||
## .p7b -> .cer |
|||
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer |
|||
## If getting |
|||
# unable to load PKCS7 object |
|||
# 140038090782360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PKCS7 |
|||
openssl pkcs7 -print_certs -inform der -in cert.p7b -out cert.cer |
|||
## Note that our .cer is still not a PEM: |
|||
file cert.cer |
|||
# cert.cer: ASCII text |
|||
openssl pkcs7 -inform der -in cert.p7b -outform pem -out cert.cer |
|||
## ... still not a PEM ... |
|||
file cert.cer |
|||
# cert.cer: ASCII text |
|||
## .cer -> .pem |
|||
openssl x509 -in cert.cer -out cert.pem |
|||
</source> |
|||
=== Split PKCS#12 certificate into CA / Cert / Private key === |
|||
Use <code>openssl pkcs12</code> to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces '''PEM''' files [http://wiki.yobi.be/wiki/CAcert]. |
|||
<source lang=bash> |
|||
openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key |
|||
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem |
|||
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem |
|||
</source> |
|||
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see [[Linux Admin]]). |
|||
=== Generate PEM certificate from PKCS7 Root CA certificate === |
|||
This can be used to convert an exported Windows CA certificate ({{file|*.p7b}} files) into PEM format (as required by NetworkManager for instance). |
|||
<source lang=bash> |
|||
# The key option here is '-print_certs' |
|||
openssl pkcs7 -inform der -print_certs -in rootca.p7b -out rootca.pem |
|||
</source> |
|||
=== Checking Certificate Chain with OpenSSL === |
|||
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] |
[http://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL] |
||
== Change .p12 / .pfx password == |
=== Change .p12 / .pfx password === |
||
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password: |
Say you have a private key / certificate file <tt>mycert.pfx</tt>, and you want to change its password: |
||
<source lang=bash> |
<source lang=bash> |
||
# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key') |
# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key') |
||
openssl pkcs12 -in mycert.pfx out mycert.pem -nodes # Don't encrypt private key at all |
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes # Don't encrypt private key at all |
||
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx |
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx |
||
rm mycert.pem # DON'T FORGET THIS! |
rm mycert.pem # DON'T FORGET THIS! |
||
</source> |
|||
=== Extract key from .p12/ .pfx === |
|||
* <code>openssl pkcs12</code> takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with <code>openssl rsa</code>. The PEM may contain either private key, certificates, root certificates or even public keys. |
|||
<source lang=bash> |
|||
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes # Don't encrypt private key at all, don't output certificates |
|||
openssl rsa -noout -modulus -in mycert.pem # To extract the modulus |
|||
openssl rsa -noout -text -in mycert.pem # To extract all the fields |
|||
</source> |
|||
=== Query a public key certificate === |
|||
<source lang=bash> |
|||
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName |
|||
# For instance: |
|||
# subject= /C=BE/ST=BBW/L=Brussels/O=immie.org/CN=www.immie.org |
|||
</source> |
|||
=== Generate a new self-signed SSL certificate for Apache server === |
|||
See [[Apache]]. |
|||
=== Accept self-signed certificates (bypass browser warning) === |
|||
;Internet Explorer |
|||
* Click on the ''error certificate'' icon in address bar, |
|||
* Cick ''View certificates'', |
|||
* then click ''Install certificate...''. |
|||
* Server public certificate must be imported in the '''Trusted Root Certification Authorities''' (and *not* in ''Intermediate CA'' which is chosen in automatic mode). |
|||
=== Encrypt a file with AES === |
|||
To encrypt: |
|||
<source lang="bash"> |
|||
tar -czf - . | openssl enc -e -aes128 -pbkdf2 -out secured.tgz.enc |
|||
</source> |
|||
To decrypt: |
|||
<source lang="bash"> |
|||
openssl enc -d -aes128 -pbkdf2 -in secured.tgz.enc | tar xz -C test |
|||
</source> |
|||
=== Append CA to PEM certificate in a single file === |
|||
One can concat several PEM certificate in base64 format in a single file [https://serverfault.com/questions/282382/how-do-append-a-ca-to-an-ssl-certificate]: |
|||
-----BEGIN CERTIFICATE----- |
|||
(Your certificate's base64 data here) |
|||
-----END CERTIFICATE----- |
|||
-----BEGIN CERTIFICATE----- |
|||
(intermediate certificate's base64 data here) |
|||
-----END CERTIFICATE----- |
|||
-----BEGIN CERTIFICATE----- |
|||
(root certificate's base64 data here) |
|||
-----END CERTIFICATE----- |
|||
So, say we have the files {{file|ca.pem}}, {{file|interim-ca.pem}}, {{file|cert.pem}}, we can concat them with: |
|||
<source lang="bash"> |
|||
cat cert.pem interim-ca.pem ca.pem > chain.pem |
|||
</source> |
|||
=== Display the content of a certicate === |
|||
<source lang="bash"> |
|||
# https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/ |
|||
# For PEM (base64) certificates (*.cer, *.pem) |
|||
openssl x509 -in acs.cdroutertest.com.pem -text |
|||
# ... |
|||
# X509v3 extensions: |
|||
# X509v3 Authority Key Identifier: |
|||
# keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 <-- the ID of CA certificate |
|||
# |
|||
# X509v3 Subject Key Identifier: |
|||
# CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92 <-- the ID of this certificate |
|||
# ... |
|||
# For DER certificates (*.cer, *.der) |
|||
openssl x509 -in MYCERT.der -inform der -text |
|||
</source> |
|||
== Certificate authorities == |
|||
* [http://wiki.cacert.org/FAQ/ImportRootCert CACert FAQ]. |
|||
=== Import CA certificates on Android=== |
|||
* Browse to the file, and click on it to import. |
|||
* Go to ''Settings → Security → Trusted credentials''. User-added CA certificates appears in the ''User'' panel. |
|||
; Import CA certificate on Firefox (Android) |
|||
* Some versions of Firefox do not seem to use the Android CA Store. In that case, the CA certificate must be imported directly in Firefox. Unfortunately there is no easy way to do so. The best work-around is to download the certificate from a web server that serves the file with MIME type '''application/x-x509-ca-cert''' [https://www.jethrocarr.com/2013/05/17/firefox-mobile-for-android-cas/]. For client certificate, it must be '''application/x-x509-user-cert'''. |
|||
:* Copy the CA certificate to a web server you manage. We assume the certificate has a {{file|.crt}} extension. |
|||
:* Add to Apache configuration: |
|||
<source lang=apache> |
|||
AddType application/x-x509-ca-cert .crt |
|||
</source> |
|||
:* Don't forget to reload apache configuration |
|||
<source lang=bash> |
|||
service apache2 reload |
|||
</source> |
|||
=== Import CA certificate on Debian === |
|||
From [https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ brightbox.com]: |
|||
<source lang=bash> |
|||
sudo mkdir /usr/local/share/ca-certificates/cacert.org |
|||
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt |
|||
sudo update-ca-certificates |
|||
</source> |
</source> |
||
Revision as of 15:10, 4 November 2022
Links
Questions
- What are file types .crt, .pem, .key
- Given a file, how can recognize its type?
Basic
- .p12
- A PKCS#12 container. Contains a X509 public key certificate and a private key.
- .crt
- Likely only a public key certificate.
How-to
Identify a certificate / private key file
## Identify a .crt file
file root.crt
# root.crt: PEM certificate
## .p12 -> .crt (extract public key certificate)
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out mycert.crt
openssl x509 -in mycert.crt -text
## .p7b -> .cer
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
## If getting
# unable to load PKCS7 object
# 140038090782360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PKCS7
openssl pkcs7 -print_certs -inform der -in cert.p7b -out cert.cer
## Note that our .cer is still not a PEM:
file cert.cer
# cert.cer: ASCII text
openssl pkcs7 -inform der -in cert.p7b -outform pem -out cert.cer
## ... still not a PEM ...
file cert.cer
# cert.cer: ASCII text
## .cer -> .pem
openssl x509 -in cert.cer -out cert.pem
Split PKCS#12 certificate into CA / Cert / Private key
Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].
openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem
Splitting the certificates is for instance needed to import a Windows certificate needed to connect to an enterprise WiFi (see Linux Admin).
Generate PEM certificate from PKCS7 Root CA certificate
This can be used to convert an exported Windows CA certificate (*.p7b files) into PEM format (as required by NetworkManager for instance).
# The key option here is '-print_certs'
openssl pkcs7 -inform der -print_certs -in rootca.p7b -out rootca.pem
Checking Certificate Chain with OpenSSL
Checking A Remote Certificate Chain With OpenSSL
Change .p12 / .pfx password
Say you have a private key / certificate file mycert.pfx, and you want to change its password:
# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem # DON'T FORGET THIS!
Extract key from .p12/ .pfx
openssl pkcs12takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable withopenssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem # To extract the modulus
openssl rsa -noout -text -in mycert.pem # To extract all the fields
Query a public key certificate
openssl x509 -in ssl-cert-www.immie.org.pem -noout -subject # Query certificate name. Must match Apache ServerName
# For instance:
# subject= /C=BE/ST=BBW/L=Brussels/O=immie.org/CN=www.immie.org
Generate a new self-signed SSL certificate for Apache server
See Apache.
Accept self-signed certificates (bypass browser warning)
- Internet Explorer
- Click on the error certificate icon in address bar,
- Cick View certificates,
- then click Install certificate....
- Server public certificate must be imported in the Trusted Root Certification Authorities (and *not* in Intermediate CA which is chosen in automatic mode).
Encrypt a file with AES
To encrypt:
tar -czf - . | openssl enc -e -aes128 -pbkdf2 -out secured.tgz.enc
To decrypt:
openssl enc -d -aes128 -pbkdf2 -in secured.tgz.enc | tar xz -C test
Append CA to PEM certificate in a single file
One can concat several PEM certificate in base64 format in a single file [2]:
-----BEGIN CERTIFICATE----- (Your certificate's base64 data here) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (intermediate certificate's base64 data here) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (root certificate's base64 data here) -----END CERTIFICATE-----
So, say we have the files ca.pem, interim-ca.pem, cert.pem, we can concat them with:
cat cert.pem interim-ca.pem ca.pem > chain.pem
Display the content of a certicate
# https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate/
# For PEM (base64) certificates (*.cer, *.pem)
openssl x509 -in acs.cdroutertest.com.pem -text
# ...
# X509v3 extensions:
# X509v3 Authority Key Identifier:
# keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 <-- the ID of CA certificate
#
# X509v3 Subject Key Identifier:
# CC:31:0F:36:85:92:91:A8:0D:61:46:9E:9C:FE:9E:23:42:B9:D6:92 <-- the ID of this certificate
# ...
# For DER certificates (*.cer, *.der)
openssl x509 -in MYCERT.der -inform der -text
Certificate authorities
Import CA certificates on Android
- Browse to the file, and click on it to import.
- Go to Settings → Security → Trusted credentials. User-added CA certificates appears in the User panel.
- Import CA certificate on Firefox (Android)
- Some versions of Firefox do not seem to use the Android CA Store. In that case, the CA certificate must be imported directly in Firefox. Unfortunately there is no easy way to do so. The best work-around is to download the certificate from a web server that serves the file with MIME type application/x-x509-ca-cert [3]. For client certificate, it must be application/x-x509-user-cert.
- Copy the CA certificate to a web server you manage. We assume the certificate has a .crt extension.
- Add to Apache configuration:
AddType application/x-x509-ca-cert .crt
- Don't forget to reload apache configuration
service apache2 reload
Import CA certificate on Debian
From brightbox.com:
sudo mkdir /usr/local/share/ca-certificates/cacert.org
sudo wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt
sudo update-ca-certificates