SSL: Difference between revisions

From miki
Jump to navigation Jump to search
(Generate a new SSL certificate for Apache server)
Line 1: Line 1:
== Links ==
== Links ==
* [http://www.networking4all.com/en/support/ssl+certificates/manuals/openssl/openssl+commands/ Networking 4 All - Most used OpenSSL commands]
* [http://www.networking4all.com/en/support/ssl+certificates/manuals/openssl/openssl+commands/ Networking 4 All - Most used OpenSSL commands]

== Questions ==
* What are file types {{file|.crt}}, {{file|.pem}}, {{file|.key}}
* Given a file, how can recognize its type?


== Split PKCS#12 certificate into CA / Cert / Private key ==
== Split PKCS#12 certificate into CA / Cert / Private key ==

Revision as of 08:29, 7 May 2015

Links

Questions

  • What are file types .crt, .pem, .key
  • Given a file, how can recognize its type?

Split PKCS#12 certificate into CA / Cert / Private key

Use openssl pkcs12 to split a pkcs#12 data into the CA / certificates / private keys component. By default, PKCS#12 produces PEM files [1].

openssl pkcs12 -in mywindowscert.pfx -nocerts -out mycert.key
openssl pkcs12 -in mywindowscert.pfx -clcerts -nokeys -out mycert.crt.pem
openssl pkcs12 -in mywindowscert.pfx -cacerts -nokeys -out mycert.ca.pem

Checking Certificate Chain with OpenSSL

Checking A Remote Certificate Chain With OpenSSL

Change .p12 / .pfx password

Say you have a private key / certificate file mycert.pfx, and you want to change its password:

# Strangely we cannot pipe output of 1st command into 2nd (error 'No certificate matches private key')
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes         # Don't encrypt private key at all
openssl pkcs12 -export -in mycert.pem -out mycert-new.pfx
rm mycert.pem                                               # DON'T FORGET THIS!

Extract key from .p12/ .pfx

  • openssl pkcs12 takes a file in pkcs#12 format (.p12/.pfx) and produces a file in PEM format, that is parseable with openssl rsa. The PEM may contain either private key, certificates, root certificates or even public keys.
openssl pkcs12 -in mycert.pfx -out mycert.pem -nocerts -nodes  # Don't encrypt private key at all, don't output certificates
openssl rsa -noout -modulus -in mycert.pem                     # To extract the modulus
openssl rsa -noout -text -in mycert.pem                        # To extract all the fields

Generate a new SSL certificate for Apache server

  • Generate the certificate [2], and change permission
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl-cert-myserver.key -out ssl-cert-myserver.pem
sudo chgrp ssl-cert ssl-cert-myserver.key
sudo chmod 640 ssl-cert-myserver.key
sudo mv ssl-cert-myserver.key /etc/ssl/private
sudo mv ssl-cert-myserver.pem /etc/ssl/certs
  • Edit SSL config for Apache (typically file /etc/apache2/sites-available/default-ssl.conf):
<VirtualHost _default_:443>
DocumentRoot /var/www/website
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-myserver.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-myserver.key
</VirtualHost>
  • Restart Apache:
sudo service apache2 restart           # OR   /usr/local/apache/bin/apachectl restart