OpenSSL Command Line Utilities
OpenSSL Quick Reference Guide
OpenSSL Quick Reference Guide
The Most Common OpenSSL Commands
How to use OpenSSL and the Internet PKI on Linux systems
OpenSSL PKI Tutorial
Formats
Privacy Enhanced Mail (PEM) => Historical container format, used now for BASE64 translation of the x509 ASN.1 key
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
X509 File Extensions
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly. Correctly labeled certificates will be much easier to manipulat
Encodings (also used as extensions)
- .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
- .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
Common Extensions
- .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
- CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
- .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
s_client
How to view certificate chain using openssl
How to extract the Root CA and Subordinate CA from a certificate chain in Linux?
CA Certificates
Creating a CA
IBM: SSL mit nicht vertrauenswürdigen Zertifikaten konfigurieren
IBM: Stammzertifizierungsstelle unter iOS installieren
$ openssl req \ -new \ -x509 \ -days 1095 \ -extensions v3_ca \ -keyout ca.key \ -out ca.crt \ -subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti CA/CN=www.fablabwinti.ch/emailAddress=info@fablabwinti.ch" Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ca.key: ASCII text => encrypted private key of the certificate (with PEM password) ca.crt/pem: PEM certificate => public certificate (which includes the public key but NOT the private key) ca.srl: ASCII text => CA serial number $ openssl genrsa \ -out rfid.key 2048 $ openssl genrsa \ -out doorlock.key 2048 $ openssl req \ -out rfid.csr \ -key rfid.key \ -new \ -subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti/CN=RFID" $ openssl req \ -out doorlock.csr \ -key doorlock.key \ -new \ -subj "/C=CH/ST=Zurich/L=Winterthur/O=FabLab Winti/CN=Door Lock" $ openssl x509 \ -req \ -in rfid.csr \ -CA ca.crt \ -CAkey ca.key \ -CAcreateserial \ -out rfid.crt \ -days 1095 $ openssl x509 \ -req \ -in doorlock.csr \ -CA ca.crt \ -CAkey ca.key \ -CAcreateserial \ -out doorlock.crt \ -days 1095 rfid.key: PEM RSA private key => private key of the certificate rfid.csr: PEM certificate request => PKCS10 format: subject + public key of the certificate rfid.crt/pem: PEM certificate => public certificate (which includes the public key but NOT the private key) Convert to Binary $ openssl x509 -in rfid.crt -out rfid.bin.crt -outform DER $ openssl rsa -in rfid.key -out rfid.bin.key -outform DER Binary to C Array $ xxd.exe -i rfid.bin.key > rfid.bin.key.h $ xxd.exe -i rfid.bin.crt > rfid.bin.crt.h -newkey arg rsa:nbits generates an RSA key nbits in size dsa:filename generates a DSA key using the parameters in the file filename ec:filename generates EC key (usable both with ECDSA or ECDH algorithms) gost2001:filename generates GOST R 34.10-2001 key (requires ccgost engine configured in the configuration file)
Aussteller: E = info@fablabwinti.ch CN = www.fablabwinti.ch O = FabLab Winti L = Winterthur S = Zurich C = CH Antragsteller: E = info@fablabwinti.ch CN = www.fablabwinti.ch OU = RFID O = FabLab Winti L = Winterthur S = Zurich C = CH $ openssl x509 -in doorlock.crt -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: bd:ee:65:f3:e8:39:38:af Signature Algorithm: sha256WithRSAEncryption Issuer: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti CA, CN=www.fablabwinti.ch/emailAddress=info@fablabwinti.ch Validity Not Before: Sep 15 13:38:25 2016 GMT Not After : Sep 15 13:38:25 2019 GMT Subject: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti, CN=Door Lock Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b3:1c:33:74:3b:53:40:7e:be:0e:96:e8:77:e3: [...] Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 10:55:c7:0d:18:be:52:fb:bc:18:1f:c4:94:82:11:e0:f8:d5: [...] $ openssl x509 -in server.crt -noout -fingerprint -sha1 SHA1 Fingerprint=26:86:55:5A:F9:00:FF:67:AC:57:55:2D:A6:7A:2E:A1:39:42:A4:2C $ openssl x509 -in server.crt -noout -fingerprint -sha256 SHA256 Fingerprint=CA:C3:F8:37:53:43:31:C6:B9:01:FC:62:85:2E:0D:70:F4:24:62:B7:A6:C4:17:3C:11:D2:4D:B9:62:5B:F2:C3
Diffie-Hellman
- Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)
- Elliptic-Curve Diffie-Hellman (ECDH) key exchange
- ECDSA algorithm
Guide to Deploying Diffie-Hellman for TLS
Making the Key Exchange stronger
Which elliptic curve should I use?
$ openssl ecparam -list_curves [...] prime256v1 [...] secp384r1 [...]
FAQ
qmail / Dovecot
qmail: $ cd /var/qmail/control/ # Request $ openssl req -new -nodes -out req.pem -keyout servercert.pem # Sign $ openssl req -new -x509 -nodes -out servercert.pem -days 366 -keyout servercert.pem $ openssl ciphers > tlsclientciphers $ openssl ciphers > tlsserverciphers # Display certification request $ openssl req -text -noout -in req.pem # Display certificate information $ openssl x509 -text -noout -in servercert.pem # Change permission $ chown vpopmail:vchkpw /var/qmail/control/servercert.pem Dovecot: mkdir /usr/local/etc/dovecot/ssl mkdir /usr/local/etc/dovecot/ssl/private mkdir /usr/local/etc/dovecot/ssl/certs cd /usr/local/share/examples/dovecot/ env SSLDIR=/usr/local/etc/dovecot/ssl /usr/local/share/examples/dovecot/mkcert.sh Convert PEM to DER $ cd /var/qmail/control $ openssl x509 -in servercert.pem -outform der -out servercert.crt $ cd /usr/local/etc/dovecot/ssl/certs $ openssl x509 -in dovecot.pem -outform der -out dovecot.crt # Copy / Install DER certificate to iPhone $ cp servercert.crt [...] $ cp dovecot.crt [...] /usr/local/etc/dovecot/ssl/certs/dovecot.crt /var/qmail/control/servercert.crt
OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=$SSLDIR/certs KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.pem KEYFILE=$KEYDIR/dovecot.pem $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
[ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) C=CH # State or Province Name (full name) ST=Zurich # Locality Name (eg. city) L=Winterthur # Organization (eg. company) O=tE-clan Server # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=imap.te-clan.ch # E-mail contact emailAddress=bachi@te-clan.ch [ cert_type ] nsCertType = server