{"id":5209,"date":"2016-09-15T11:31:55","date_gmt":"2016-09-15T11:31:55","guid":{"rendered":"http:\/\/blog.bachi.net\/?p=5209"},"modified":"2023-08-17T09:35:23","modified_gmt":"2023-08-17T09:35:23","slug":"openssl-by-example","status":"publish","type":"post","link":"https:\/\/blog.bachi.net\/?p=5209","title":{"rendered":"OpenSSL by Example"},"content":{"rendered":"<p><a href=\"https:\/\/wiki.openssl.org\/index.php\/Command_Line_Utilities\">OpenSSL Command Line Utilities<\/a><br \/>\n<a href=\"https:\/\/www.digicert.com\/ssl-support\/openssl-quick-reference-guide.htm\">OpenSSL Quick Reference Guide<\/a><br \/>\n<a href=\"https:\/\/www.digicert.com\/kb\/ssl-support\/openssl-quick-reference-guide.htm\">OpenSSL Quick Reference Guide<\/a><br \/>\n<a href=\"https:\/\/www.sslshopper.com\/article-most-common-openssl-commands.html\">The Most Common OpenSSL Commands<\/a><br \/>\n<a href=\"https:\/\/www.redhat.com\/sysadmin\/openssl-and-internet-pki\">How to use OpenSSL and the Internet PKI on Linux systems<\/a><br \/>\n<a href=\"https:\/\/pki-tutorial.readthedocs.io\/en\/latest\/\">OpenSSL PKI Tutorial<\/a><\/p>\n<p><!-- -------------------------------------------------------------------------------------------- --><\/p>\n<hr\/>\n<h1>Formats<\/h1>\n<p>Privacy Enhanced Mail (PEM) => Historical container format, used now for BASE64 translation of the x509 ASN.1 key<\/p>\n<p><a href=\"https:\/\/support.ssl.com\/Knowledgebase\/Article\/View\/19\/0\/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them\">DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them<\/a><br \/>\n<a href=\"http:\/\/serverfault.com\/questions\/9708\/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file\">What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?<\/a><\/p>\n<h3>X509 File Extensions<\/h3>\n<p>The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat<\/p>\n<h4>Encodings (also used as extensions)<\/h4>\n<ul>\n<li>.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be \u201cI have a DER encoded certificate\u201d not \u201cI have a DER certificate\u201d.<\/li>\n<li>.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a \u201c\u2014\u2013 BEGIN \u2026\u201d line.<\/li>\n<\/ul>\n<h4>Common Extensions<\/h4>\n<ul>\n<li>.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems<\/li>\n<li>CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and\/or viewing certificate contents.<\/li>\n<li>.KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.<\/li>\n<\/ul>\n<p><!-- -------------------------------------------------------------------------------------------- --><\/p>\n<hr\/>\n<h1>s_client<\/h1>\n<p><a href=\"https:\/\/serverfault.com\/questions\/1011294\/how-to-view-certificate-chain-using-openssl\">How to view certificate chain using openssl<\/a><br \/>\n<a href=\"https:\/\/unix.stackexchange.com\/questions\/368123\/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux\">How to extract the Root CA and Subordinate CA from a certificate chain in Linux?<\/a><\/p>\n<p><!-- -------------------------------------------------------------------------------------------- --><\/p>\n<hr\/>\n<h1>CA Certificates<\/h1>\n<p><a href=\"https:\/\/www.phildev.net\/ssl\/creating_ca.html\">Creating a CA<\/a><br \/>\n<a href=\"https:\/\/www.ibm.com\/support\/knowledgecenter\/de\/SSHSCD_7.1.0\/com.ibm.worklight.installconfig.doc\/admin\/c_ssl_config.html\">IBM: SSL mit nicht vertrauensw\u00fcrdigen Zertifikaten konfigurieren<\/a><br \/>\n<a href=\"https:\/\/www.ibm.com\/support\/knowledgecenter\/de\/SSHSCD_7.1.0\/com.ibm.worklight.installconfig.doc\/admin\/t_installing_root_CA_iOS.html\">IBM: Stammzertifizierungsstelle unter iOS installieren<\/a><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ openssl req \\\r\n-new \\\r\n-x509 \\\r\n-days 1095 \\\r\n-extensions v3_ca \\\r\n-keyout ca.key \\\r\n-out ca.crt \\\r\n-subj &quot;\/C=CH\/ST=Zurich\/L=Winterthur\/O=FabLab Winti CA\/CN=www.fablabwinti.ch\/emailAddress=info@fablabwinti.ch&quot;\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n\r\nca.key:     ASCII text      =&gt; encrypted private key of the certificate (with PEM password)\r\nca.crt\/pem: PEM certificate =&gt; public certificate (which includes the public key but NOT the private key)\r\nca.srl:     ASCII text      =&gt; CA serial number\r\n\r\n$ openssl genrsa \\\r\n-out rfid.key 2048\r\n\r\n$ openssl genrsa \\\r\n-out doorlock.key 2048\r\n\r\n$ openssl req \\\r\n-out rfid.csr \\\r\n-key rfid.key \\\r\n-new \\\r\n-subj &quot;\/C=CH\/ST=Zurich\/L=Winterthur\/O=FabLab Winti\/CN=RFID&quot;\r\n\r\n$ openssl req \\\r\n-out doorlock.csr \\\r\n-key doorlock.key \\\r\n-new \\\r\n-subj &quot;\/C=CH\/ST=Zurich\/L=Winterthur\/O=FabLab Winti\/CN=Door Lock&quot;\r\n\r\n$ openssl x509 \\\r\n-req \\\r\n-in rfid.csr \\\r\n-CA ca.crt \\\r\n-CAkey ca.key \\\r\n-CAcreateserial \\\r\n-out rfid.crt \\\r\n-days 1095\r\n\r\n$ openssl x509 \\\r\n-req \\\r\n-in doorlock.csr \\\r\n-CA ca.crt \\\r\n-CAkey ca.key \\\r\n-CAcreateserial \\\r\n-out doorlock.crt \\\r\n-days 1095\r\n\r\nrfid.key:     PEM RSA private key     =&gt; private key of the certificate\r\nrfid.csr:     PEM certificate request =&gt; PKCS10 format: subject + public key of the certificate\r\nrfid.crt\/pem: PEM certificate         =&gt; public certificate (which includes the public key but NOT the private key)\r\n\r\nConvert to Binary\r\n$ openssl x509 -in rfid.crt -out rfid.bin.crt -outform DER\r\n$ openssl rsa -in rfid.key -out rfid.bin.key -outform DER\r\n\r\nBinary to C Array\r\n$ xxd.exe -i rfid.bin.key &gt; rfid.bin.key.h\r\n$ xxd.exe -i rfid.bin.crt &gt; rfid.bin.crt.h\r\n\r\n-newkey arg\r\n  rsa:nbits          generates an RSA key nbits in size\r\n  dsa:filename       generates a DSA key using the parameters in the file filename\r\n  ec:filename        generates EC key (usable both with ECDSA or ECDH algorithms)\r\n  gost2001:filename  generates GOST R 34.10-2001 key (requires ccgost engine configured in the configuration file)\r\n  \r\n<\/pre>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nAussteller:\r\nE = info@fablabwinti.ch\r\nCN = www.fablabwinti.ch\r\nO = FabLab Winti\r\nL = Winterthur\r\nS = Zurich\r\nC = CH\r\n\r\nAntragsteller:\r\nE = info@fablabwinti.ch\r\nCN = www.fablabwinti.ch\r\nOU = RFID\r\nO = FabLab Winti\r\nL = Winterthur\r\nS = Zurich\r\nC = CH\r\n\r\n$ openssl x509 -in doorlock.crt -noout -text\r\nCertificate:\r\n    Data:\r\n        Version: 1 (0x0)\r\n        Serial Number:\r\n            bd:ee:65:f3:e8:39:38:af\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti CA, CN=www.fablabwinti.ch\/emailAddress=info@fablabwinti.ch\r\n        Validity\r\n            Not Before: Sep 15 13:38:25 2016 GMT\r\n            Not After : Sep 15 13:38:25 2019 GMT\r\n        Subject: C=CH, ST=Zurich, L=Winterthur, O=FabLab Winti, CN=Door Lock\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (2048 bit)\r\n                Modulus:\r\n                    00:b3:1c:33:74:3b:53:40:7e:be:0e:96:e8:77:e3:\r\n                    &#x5B;...]\r\n                Exponent: 65537 (0x10001)\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n         10:55:c7:0d:18:be:52:fb:bc:18:1f:c4:94:82:11:e0:f8:d5:\r\n         &#x5B;...]\r\n\r\n$ openssl x509 -in server.crt -noout -fingerprint -sha1\r\nSHA1 Fingerprint=26:86:55:5A:F9:00:FF:67:AC:57:55:2D:A6:7A:2E:A1:39:42:A4:2C\r\n\r\n$ openssl x509 -in server.crt -noout -fingerprint -sha256\r\nSHA256 Fingerprint=CA:C3:F8:37:53:43:31:C6:B9:01:FC:62:85:2E:0D:70:F4:24:62:B7:A6:C4:17:3C:11:D2:4D:B9:62:5B:F2:C3\r\n\r\n<\/pre>\n<p><!-- -------------------------------------------------------------------------------------------- --><\/p>\n<hr\/>\n<h1>Diffie-Hellman<\/h1>\n<ul>\n<li>Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE)<\/li>\n<li>Elliptic-Curve Diffie-Hellman (ECDH) key exchange<\/li>\n<li>ECDSA algorithm<\/li>\n<\/ul>\n<p><a href=\"https:\/\/weakdh.org\/sysadmin.html\">Guide to Deploying Diffie-Hellman for TLS<\/a><br \/>\n<a href=\"https:\/\/community.letsencrypt.org\/t\/making-the-key-exchange-stronger\/8116\">Making the Key Exchange stronger<\/a><\/p>\n<p><a href=\"http:\/\/security.stackexchange.com\/questions\/78621\/which-elliptic-curve-should-i-use\">Which elliptic curve should I use?<\/a><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ openssl ecparam -list_curves\r\n&#x5B;...]\r\nprime256v1\r\n&#x5B;...]\r\nsecp384r1\r\n&#x5B;...]\r\n<\/pre>\n<p><!-- -------------------------------------------------------------------------------------------- --><\/p>\n<hr\/>\n<h1>FAQ<\/h1>\n<p><a href=\"http:\/\/superuser.com\/questions\/226192\/openssl-without-prompt\">OpenSSL without prompt<\/a><\/p>\n<h3>qmail \/ Dovecot<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nqmail:\r\n  $ cd \/var\/qmail\/control\/\r\n\r\n  # Request\r\n  $ openssl req -new -nodes -out req.pem -keyout servercert.pem\r\n \r\n  # Sign\r\n  $ openssl req -new -x509 -nodes -out servercert.pem -days 366 -keyout servercert.pem\r\n  $ openssl ciphers &gt; tlsclientciphers\r\n  $ openssl ciphers &gt; tlsserverciphers\r\n \r\n  # Display certification request\r\n  $ openssl req -text -noout -in req.pem\r\n\r\n  # Display certificate information\r\n  $ openssl x509 -text -noout -in servercert.pem\r\n\r\n  # Change permission\r\n  $ chown vpopmail:vchkpw \/var\/qmail\/control\/servercert.pem\r\n\r\nDovecot:\r\n  mkdir \/usr\/local\/etc\/dovecot\/ssl\r\n  mkdir \/usr\/local\/etc\/dovecot\/ssl\/private\r\n  mkdir \/usr\/local\/etc\/dovecot\/ssl\/certs\r\n  cd  \/usr\/local\/share\/examples\/dovecot\/\r\n  env SSLDIR=\/usr\/local\/etc\/dovecot\/ssl \/usr\/local\/share\/examples\/dovecot\/mkcert.sh\r\n\r\nConvert PEM to DER\r\n  $ cd \/var\/qmail\/control\r\n  $ openssl x509 -in servercert.pem -outform der -out servercert.crt\r\n\r\n  $ cd \/usr\/local\/etc\/dovecot\/ssl\/certs\r\n  $ openssl x509 -in dovecot.pem -outform der -out dovecot.crt\r\n\r\n  # Copy \/ Install DER certificate to iPhone\r\n  $ cp servercert.crt &#x5B;...]\r\n  $ cp dovecot.crt &#x5B;...]\r\n\r\n  \/usr\/local\/etc\/dovecot\/ssl\/certs\/dovecot.crt\r\n  \/var\/qmail\/control\/servercert.crt\r\n<\/pre>\n<pre class=\"brush: plain; title: mkcert.sh; notranslate\" title=\"mkcert.sh\">\r\nOPENSSL=${OPENSSL-openssl}\r\nSSLDIR=${SSLDIR-\/etc\/ssl}\r\nOPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}\r\n\r\nCERTDIR=$SSLDIR\/certs\r\nKEYDIR=$SSLDIR\/private\r\n\r\nCERTFILE=$CERTDIR\/dovecot.pem\r\nKEYFILE=$KEYDIR\/dovecot.pem\r\n\r\n$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2\r\nchmod 0600 $KEYFILE\r\necho\r\n$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2\r\n<\/pre>\n<pre class=\"brush: plain; title: dovecot-openssl.cnf; notranslate\" title=\"dovecot-openssl.cnf\">\r\n&#x5B; req ]\r\ndefault_bits = 1024\r\nencrypt_key = yes\r\ndistinguished_name = req_dn\r\nx509_extensions = cert_type\r\nprompt = no\r\n\r\n&#x5B; req_dn ]\r\n# country (2 letter code)\r\nC=CH\r\n\r\n# State or Province Name (full name)\r\nST=Zurich\r\n\r\n# Locality Name (eg. city)\r\nL=Winterthur\r\n\r\n# Organization (eg. company)\r\nO=tE-clan Server\r\n\r\n# Organizational Unit Name (eg. section)\r\nOU=IMAP server\r\n\r\n# Common Name (*.example.com is also possible)\r\nCN=imap.te-clan.ch\r\n\r\n# E-mail contact\r\nemailAddress=bachi@te-clan.ch\r\n\r\n&#x5B; cert_type ]\r\nnsCertType = server\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSL Command Line Utilities OpenSSL Quick Reference Guide OpenSSL Quick Reference Guide The Most Common OpenSSL Commands How to use OpenSSL and the Internet PKI on Linux systems OpenSSL PKI Tutorial Formats Privacy Enhanced Mail (PEM) => Historical container format, used now for BASE64 translation of the x509 ASN.1 key DER vs. CRT vs. CER [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5209","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/5209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5209"}],"version-history":[{"count":24,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/5209\/revisions"}],"predecessor-version":[{"id":14218,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=\/wp\/v2\/posts\/5209\/revisions\/14218"}],"wp:attachment":[{"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bachi.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}