Openssl: Difference between revisions

From I Will Fear No Evil
Jump to navigation Jump to search
(Created page with "===Stuff you need to remember for openssl=== For creating a self signed certificate chain, having a password makes things more of a PITA.. * Process to create chain without a password: <pre> openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 36500 -key ca.key -out ca.crt openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client....")
 
mNo edit summary
Line 17: Line 17:
If you WANT a password set for the certificate, then the genrsa command needs -des3 added as a switch.  That will require a password at that point.
If you WANT a password set for the certificate, then the genrsa command needs -des3 added as a switch.  That will require a password at that point.
[https://justin.kelly.org.au/how-to-create-a-self-sign-ssl-cert-with-no-pa/| Source Link for how to]
[https://justin.kelly.org.au/how-to-create-a-self-sign-ssl-cert-with-no-pa/| Source Link for how to]
== check ciphers for cert ==
<pre>
#!/usr/bin/env bash
#https://blog.lxsang.me/post/id/31
# OpenSSL requires the port number.
SERVER=$1
# cool way to set defaults, if set or set default
# short circuit logic.  Spiffy trick.
#DELAY=${2:-} || DELAY=1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
    echo -n Testing $cipher...
    result=$(echo -n | openssl s_client -cipher "$cipher"  -connect $SERVER 2>&1)
    if [[ "$result" =~ ":error:" ]] ; then
        error=$(echo -n $result | cut -d':' -f6)
        echo NO \($error\)
    else
        if echo $result | grep -q "Verify return code: 0 (ok)"; then
            echo YES
        else
            echo UNKNOWN RESPONSE
            echo $result
        fi
    fi
sleep $DELAY
done
</pre>
[[Category:openssl]]
[[Category:openssl]]

Revision as of 11:28, 21 September 2023

Stuff you need to remember for openssl

For creating a self signed certificate chain, having a password makes things more of a PITA..

  • Process to create chain without a password:
  openssl genrsa -out ca.key 4096
  openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
  openssl genrsa -out client.key 4096
  openssl req -new -key client.key -out client.csr
  openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  openssl rsa -in client.key -out client.priv

  cat client.crt ca.crt client.priv > client.pem
  openssl x509 -text -noout -in ./client.pem

If you WANT a password set for the certificate, then the genrsa command needs -des3 added as a switch. That will require a password at that point. Source Link for how to

check ciphers for cert

#!/usr/bin/env bash
#https://blog.lxsang.me/post/id/31 

# OpenSSL requires the port number.
SERVER=$1

# cool way to set defaults, if set or set default
# short circuit logic.  Spiffy trick.
#DELAY=${2:-} || DELAY=1
DELAY=1

ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
 
echo Obtaining cipher list from $(openssl version).
 
for cipher in ${ciphers[@]}
do
    echo -n Testing $cipher...
    result=$(echo -n | openssl s_client -cipher "$cipher"  -connect $SERVER 2>&1)
    if [[ "$result" =~ ":error:" ]] ; then
        error=$(echo -n $result | cut -d':' -f6)
        echo NO \($error\)
    else
        if echo $result | grep -q "Verify return code: 0 (ok)"; then
            echo YES
        else
            echo UNKNOWN RESPONSE
            echo $result
         fi
    fi
sleep $DELAY
done
Retrieved from "https://wiki.iwillfearnoevil.com/mediawiki/index.php?title=Openssl&oldid=478"