New |
New |
Home |
---|
OpenSSL
Commands
A small guide to common ssl operations.
*** Certificates ***
Create
openssl genrsa -out key.pem 1024
# Self-signed
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
# Create Request
openssl req -new -key key.pem -out cert.csr
# Certificate Emission (fake external CA)
openssl ca -keyfile ../../demoCA/private/cakey.pem -cert ../../demoCA/cacert.pem -in cert.csr -out cert.pem -days 1095
View
openssl x509 -in cert.pem -text
openssl req -in namirial_pec_mailsigner2.csr -text -noout
openssl req -in cert.csr -text -noout
openssl rsa -in key.pem -text -noout
Format conversion
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
*** Hash ***
openssl dgst -sha1 pyOpec.py
*** SMIME ***
SMime commands
Sign
openssl smime -sign -signer cert.pem -certfile mycert.crt -inkey key.pem -in mail.txt -out mail.txt.signed
openssl smime -sign -engine chil -keyform engine -certfile mycert.crt -inkey rsa-mykey1 -in test.txt -out mail.txt.signed
openssl smime -in test.txt -out test.txt.signed -sign -signer cert.pem -inkey key.pem
VERIFY
- with chain
openssl smime -verify -signer cert.pem -CApath /some/path/to/certs/ -in mail.txt.signed
- no chain verify
openssl smime -verify -signer cert.pem -CApath /some/path/to/certs/ -in mail.txt.signed -noverify
*** TSA ***
cat > prova.txt << __EOF
file di test
con contenuto
__EOF
openssl ts -query -sha256 -cert -data prova.txt -out prova.tsq
wget http://timestamp.test.firmacerta.it/ --post-file=prova.tsq --header="Content-Type: application/timestamp-query" --no-check-certificate --http-user=myuser --http-passwd=mypwd -nv -O prova.tst
openssl ts -verify -untrusted cacert.pem -data prova.txt -in prova.tst
openssl ts -verify -sha1 -CAfile cacert.pem -data prova.txt -in prova.tst
NOTES
the certificates in CApath must have a symbolic link with the certificate hash:
openssl x509 -in root_certificate_cnipa_ca3.pem -hash -noout
6fa3f2bf
ln -s root_certificate_cnipa_ca3.pem 6fa3f2bf.0
See:
Crypt and decrypt
openssl smime -encrypt -aes256 -binary -in ./pyOpec.py -out pyOpec.enc ./demoCA/cacert.pem
openssl smime -decrypt -in ./pyOpec.enc -out pyOpec.dec -recip ./demoCA/cacert.pem -inkey demoCA/private/cakey.pem
openssl aes-256-cbc -e -in x.zip -out x.aes
openssl aes-256-cbc -d -in x.aes -out x.zip
Get FINGERPRINT
openssl x509 -in mycert.pem -fingerprint -sha1 -noout
# View a remote server' certificates
openssl s_client -connect hostname:portnum -showcerts
# View certificates in an email
openssl smime -pk7out -in tmp.eml | openssl pkcs7 -text -noout -print_certs
dumpasn
wget http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
wget http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg
gcc dumpasn1.c -o dumpasn1
mkdir /etc/dumpasn1
cp dumpasn1.cfg /etc/dumpasn1/