Here are TLS commands used many times. I will add little by little.
################################################################################
# Let
# server.crt: a server certificate file
# root.crt: a self-signed root certificate file
# All certificates are in the format of PEM.
################################################################################
# View the contents of a certificate:
openssl x509 -in server.crt -text -noout
# Check a certificate chains:
openssl verify -verbose -CAfile root.crt server.crt
openssl verify -verbose -CAfile <(cat interm.crt root.crt) server.crt
# Extract public key from private key
openssl rsa -pubout -in server.key -out server.pub
# Test connection with certificate.
openssl s_client -connect www.example.com:8443 -state -CAfile como.crt
# Save server certificate in PEM
openssl s_client -showcerts -connect www.example.com:443 </dev/null | openssl x509 -outform PEM > example.pem.crt
# Save server certificate in DER
openssl s_client -showcerts -connect www.example.com:443 </dev/null | openssl x509 -outform DER > example.der.crt
# List certificate from pkcs12 keystore
keytool -list -v -keystore example.p12 -storetype PKCS12 -storepass ${storepass}
# Extract certificate from pkcs12 keystore
keytool -export -keystore example.p12 -alias ${alias} -file example.crt
# Create a new JKS trustore
keytool -import -alias rootca -file root.crt -keystore truststore.jks -storepass changeit
Let's see an example says full steps of making root, intermediate, and server certificates:
# Create a CA key pair
openssl genrsa -out root.key 8192
# Create a self-signed CA certificate
openssl req -sha256 -new -x509 -days 3650 -key root.key \
-subj "/C=KR/L=Seoul/OU=Example/CN=Example Root CA" -out root.crt
# Or you can combined above two commands:
openssl req -nodes -x509 -sha256 -newkey rsa:8192 -keyout "root.key" -out "root.crt" -days 3650 \
-subj "/C=KR/L=Seoul/OU=Example/CN=Example Root CA"
# Create a server key pair
openssl genrsa -out server.key 4096
# Create a CSR
openssl req -new -sha256 -key server.key \
-subj "/C=KR/L=Seoul/OU=Example/CN=svc.example.com" -out server.crt
# Create a server certificate
openssl x509 -req -in server.key -CA root.crt -CAkey root.key -set_serial 01 -out server.crt
Do you want to view the contents of certificate chain? Let call the followin script 'chain.sh' and run like "./chain.sh combined_certificates.crt".
#!/bin/bash
chain_pem="${1}"
if [[ ! -f "${chain_pem}" ]]; then
echo "Usage: $0 BASE64_CERTIFICATE_CHAIN_FILE" >&2
exit 1
fi
if ! openssl x509 -in "${chain_pem}" -noout 2>/dev/null ; then
echo "${chain_pem} is not a certificate" >&2
exit 1
fi
awk -F'\n' '
BEGIN {
showcert = "openssl x509 -noout -subject -issuer"
}
/-----BEGIN CERTIFICATE-----/ {
printf "%2d: ", ind
}
{
printf $0"\n" | showcert
}
/-----END CERTIFICATE-----/ {
close(showcert)
ind ++
}
' "${chain_pem}"
echo
openssl verify -untrusted "${chain_pem}" "${chain_pem}"
Top comments (1)
If you don't mind, I'd put here a link to my post about showcert: Simple open source utility which makes most of these things very easy.