Openssl: Difference between revisions
Jump to navigation
Jump to search
| (One intermediate revision by the same user not shown) | |||
| Line 180: | Line 180: | ||
If the MD5 does not match, you have the wrong key paired to the wrong cert | If the MD5 does not match, you have the wrong key paired to the wrong cert | ||
</pre> | </pre> | ||
== Get root and intermediate certificates for a domain == | |||
<pre> | |||
export PORT=443 | |||
export URL=www.iwillfearnoevil.com | |||
openssl s_client -showcerts -verify 5 -connect ${URL}:${PORT} < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}' | |||
Will save each cert in a discrete files: | |||
cert1.pem cert2.pem | |||
They will NOT be in order! You must check each to see which cert it contains | |||
openssl x509 -text -noout -in ./cert1.pem | grep CN | |||
Issuer: C=US, O=Let's Encrypt, CN=R3 | |||
Subject: CN=*.iwillfearnoevil.com | |||
openssl x509 -text -noout -in ./cert2.pem | grep CN | |||
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1 | |||
Subject: C=US, O=Let's Encrypt, CN=R3 | |||
</pre> | |||
[[Category:openssl]] | [[Category:openssl]] | ||
Latest revision as of 09:52, 28 May 2024
Stuff you need to remember for openssl
Basic SSL verification
openssl x509 -text -noout -in ./cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
de:af:de:ad:be:ef:00:00:00:00:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 27 09:34:35 2023 GMT
Not After : Mar 26 09:34:34 2024 GMT
Subject: CN = *.iwillfearnoevil.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c0:8e:bd:60:16:7d:e5:45:31:2c:ad:32:df:00:
c8:f7:04:05:49:f3:8a:33:b4:8e:89:93:21:83:0f:
ad:8b:c8:cd:62:05:3e:6f:c1:ec:00:7e:68:11:6b:
c3:56:bd:b5:76:3e:d6:ad:f1:93:a8:8d:82:7e:5d:
2d:66:88:74:2c:ad:48:a7:db:41:2e:24:f9:46:c8:
20:42:f3:18:ac:40:11:d0:0f:d9:a5:e7:e1:ea:b3:
d9:5e:5c:2d:b8:43:b3:27:82:a7:d7:9d:f6:35:75:
50:f1:9a:f1:7e:6e:d5:48:ba:aa:20:d0:5b:21:a9:
e4:3d:14:00:19:8a:6b:d1:c1:e2:63:43:66:8c:56:
65:ae:ec:a3:e9:52:8a:54:f6:df:d6:9d:cb:e1:b9:
7d:e8:4a:2c:92:a7:f3:2b:dd:92:f5:e0:b1:a8:36:
8d:52:2c:1a:7b:f3:36:23:d6:8c:d0:b6:71:0d:50:
54:85:f7:51:94:df:34:1d:75:9f:93:f5:59:7d:04:
1a:37:23:40:6a:16:1f:bc:8c:0e:b6:2e:0b:4b:67:
95:4e:a1:44:58:5f:60:c9:77:45:ce:0a:96:ca:b4:
f1:b0:c8:2d:25:8c:06:7b:bf:c1:95:15:6b:55:3c:
5d:59:0f:13:c0:1e:de:4b:ac:40:c0:e4:00:54:6c:
95:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0B:FB:AD:A9:84:6D:9B:38:70:ED:D7:48:29:86:85:0F:12:4D:52:00
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:02:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.iwillfearnoevil.com, DNS:iwillfearnoevil.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1.666
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:8A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Dec 27 10:34:36.010 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:7B:84:19:09:A4:1B:93:10:05:15:A4:4D:
4F:24:D8:19:5B:F0:FD:34:69:90:4D:B7:B0:72:9B:2C:
10:30:97:24:02:20:5A:0F:A0:BA:62:F1:A9:9E:90:CC:
42:9A:88:3C:E0:3B:D6:40:41:C7:28:12:71:C8:18:BA:
70:55:C3:E9:55:7D
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:C5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Dec 27 10:34:36.011 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:91:A2:2D:FC:12:B8:AD:0F:3F:20:A0:
B3:8A:5E:FA:EF:35:B5:6C:91:5F:4E:43:31:2E:06:54:
F7:73:48:73:51:02:21:00:9E:6C:62:2D:3A:E1:38:DB:
9D:DC:EE:CC:31:09:D8:5D:61:FA:ED:A2:F8:1F:50:48:
6A:77:6C:7C:A2:08:A2:48
Signature Algorithm: sha256WithRSAEncryption
4b:ef:86:ef:26:0f:6d:19:5b:c1:1c:bb:80:3d:f5:96:22:09:
fc:f9:1d:f1:50:ea:c6:c7:16:19:f1:fc:59:61:be:96:b3:c0:
bb:aa:bb:0f:6b:c6:de:9a:0c:72:92:ee:6a:ac:3e:92:4e:d4:
00:ed:7c:ba:cd:53:17:64:03:fc:bc:b7:e8:86:90:04:fb:fd:
dc:7d:62:a0:b7:75:3f:e4:9c:3b:ab:88:91:a9:c5:45:8a:36:
38:dc:b8:8d:53:fb:3f:5b:7f:49:3f:4d:7a:99:dc:97:82:6e:
c2:4d:7d:4a:f3:40:30:4f:0a:96:72:bc:3e:59:1c:c2:f7:51:
01:bc:f6:41:54:cc:28:d3:b0:b1:8b:b5:04:ff:36:4e:11:60:
f6:22:f2:20:a6:e7:56:1d:85:5a:c3:f3:d0:82:71:19:6a:8f:
99:f3:00:d0:d2:bd:99:18:6f:d2:d2:4f:ab:f3:34:af:55:c9:
52:22:0f:b4:1e:b7:fc:83:ac:77:02:95:52:ae:c0:b1:9a:99:
f6:dc:70:b3:a8:35:ba:66:50:6b:79:59:57:14:ad:35:65:ce:
1b:ea:64:3a:e9:81:18:20:a1:19:b2:e4:1a:ed:f9:86:b2:86:
65:31:48:77:dd:32:1e:09:78:ac:ae:76:cf:ef:51:aa:33:7b:
65:09:86:f7
Create cert chain without a password
For creating a self signed certificate chain, having a password makes things more of a PITA..
- Process to create chain without a password:
openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 36500 -key ca.key -out ca.crt openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl rsa -in client.key -out client.priv cat client.crt ca.crt client.priv > client.pem openssl x509 -text -noout -in ./client.pem
If you WANT a password set for the certificate, then the genrsa command needs -des3 added as a switch. That will require a password at that point. Source Link for how to
check ciphers for cert
#!/usr/bin/env bash
#https://blog.lxsang.me/post/id/31
# OpenSSL requires the port number.
SERVER=$1
# cool way to set defaults, if set or set default
# short circuit logic. Spiffy trick.
#DELAY=${2:-} || DELAY=1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if echo $result | grep -q "Verify return code: 0 (ok)"; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
Example:
./check_ciphers.sh iwillfearnoevil.com:443 Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020. Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list) Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list) Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list) Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES Testing ECDHE-RSA-AES256-GCM-SHA384...YES Testing DHE-DSS-AES256-GCM-SHA384...YES Testing DHE-RSA-AES256-GCM-SHA384...YES Testing ECDHE-ECDSA-CHACHA20-POLY1305...YES Testing ECDHE-RSA-CHACHA20-POLY1305...YES
Verify Key Matches Cert
openssl x509 -modulus -noout -in ./Cert.pem | openssl md5 MD5(stdin)= hex string result openssl rsa -modulus -noout -in ./Key.pem | openssl md5 MD5(stdin)= hex string result If the MD5 does not match, you have the wrong key paired to the wrong cert
Get root and intermediate certificates for a domain
export PORT=443
export URL=www.iwillfearnoevil.com
openssl s_client -showcerts -verify 5 -connect ${URL}:${PORT} < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'
Will save each cert in a discrete files:
cert1.pem cert2.pem
They will NOT be in order! You must check each to see which cert it contains
openssl x509 -text -noout -in ./cert1.pem | grep CN
Issuer: C=US, O=Let's Encrypt, CN=R3
Subject: CN=*.iwillfearnoevil.com
openssl x509 -text -noout -in ./cert2.pem | grep CN
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Subject: C=US, O=Let's Encrypt, CN=R3