x509v3_config OPENSSL - yar145/mytestrepo1 GitHub Wiki
Several OpenSSL commands can add extensions to a certificate or certificate request based on the contents of a configuration file and CLI options such as -addext.
Example OpenSSL Configuration File
Manually Generate a Certificate Signing Request (CSR) Using OpenSSL
Manipulating ssl certificates
Testing ssl cert from server
To find out if the https or other ssl-enabled service is serving the right certificate, you can use openssl as a client and pull down the ssl
cert.
printf '\n' | openssl s_client -connect ipa.example.com:443
And observe the output for the certificate information.
To test SNI, add the parameter -servername myurl.example.com.
Reference: weblink 6 https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
Certificate subject X.509 IETF PKIX (latest version RFC 5280) is a well accepted profile for certificates. From section 4.1.2.4, the following fields must be supported (I've added between parenthesis is the OpenSSL long and optional short name):
country (countryName, C),
organization (organizationName, O),
organizational unit (organizationalUnitName, OU),
distinguished name qualifier (dnQualifier),
state or province name (stateOrProvinceName, ST),
common name (commonName, CN) and
serial number (serialNumber).
There's also a list of element that should be supported:
locality (locality, L),
title (title),
surname (surName, SN),
given name (givenName, GN),
initials (initials),
pseudonym (pseudonym) and
generation qualifier (generationQualifier).
generationQualifier
The generationQualifier attribute contains the part of the name which typically is the suffix, as in "IIIrd".
attributetype ( 2.5.4.44
NAME 'generationQualifier' DESC 'RFC2256: name qualifier indicating a generation' SUP name )
dnQualifier
The dnQualifier attribute type specifies disambiguating information to add to the relative distinguished name of an entry. It is intended for use when merging data from multiple sources in order to prevent conflicts between entries which would otherwise have the same name. It is recommended that the value of the dnQualifier attribute be the same for all entries from a particular source.
attributetype ( 2.5.4.46
NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
How do I verify that a private key matches a certificate? (OpenSSL)
[How do I verify that a private key matches a certificate? (OpenSSL)](How do I verify that a private key matches a certificate? (OpenSSL))
How do I verify that a private key matches a certificate? To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key.
To verify the consistency of the RSA private key and to view its modulus: openssl rsa -modulus -noout -in myserver.key | openssl md5
openssl rsa -check -noout -in myserver.key | openssl md5 RSA Key is ok If it doesn't say 'RSA key ok', it isn't OK!"
To view the modulus of the RSA public key in a certificate: openssl x509 -modulus -noout -in myserver.crt | openssl md5
If the first commands shows any errors, or if the modulus of the public key in the certificate and the modulus of the private key do not exactly match, then you're not using the correct private key. You can either create a brand new key and CSR and contact support, or you can do a search for any other private keys on the system and see if they match.
To search for all private keys on your server: find / -name *.key
ANSWER:
openssl rsa -modulus -noout -in myserver.key | openssl md5
openssl x509 -modulus -noout -in myserver.crt | openssl md5
Check SSL certificate inline , online:
echo | openssl s_client -connect server_domain_name:443 | openssl x509 -noout -subject -dates
convert the .p12 file to CA certificate, client certificate and client private key.
openssl pkcs12 -nocerts -in default.p12 -out userkey.pem openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem
How Add LDAP server certificate to trusted list and enable certificate verification
[## How Add LDAP server certificate to trusted list and enable certificate verification](## How Add LDAP server certificate to trusted list and enable certificate verification)
cp ldapserver.example.com.pem /etc/pki/ca-trust/source/anchors/ldapserver.example.com.crt
update-ca-trust extract
see also /etc/pki/ca-trust/source/README:
This directory /etc/pki/ca-trust/source/ contains CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a high priority - higher than the ones found in /usr/share/pki/ca-trust-source/.
============================================================================= QUICK HELP: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
=============================================================================
Certificate transformation
How get sha certificate fingerprint
openssl x509 cert.pem -text -noout -fingerprint -sha1 -inform pem
How form pksc12 from pem (without password)
openssl pkcs12 -export -out slw-private.p12 -in slw-private.pem -inkey slw-private.key -passout pass: -nokeys
How get certificate in der format from pem
openssl x509 -outform der -in slv.pem -out slv.der