OpenSSL
How can we inspect remote SMTP server's TLS certificate?
If you have to check the certificate with STARTTLS, then just do:
openssl s_client -connect mail.example.com:25 -starttls smtp
For a standard secure smtp port, use:
openssl s_client -connect mail.example.com:465
How can I download the public certificate from the AD server?
openssl s_client -connect 192.168.240.10:636 -showcerts > output.txt
Open up the output.txt file. Copy everything from the start delimiter and the end delimiter (including the delimiters) into a text file and save it with a .crt extension. There may be multiple public certificate in the output.txt file. We have to put each certificate into a separate file. I am not sure if it is possible to get the public certificate of the root CA this way (probably not).
- https://stackoverflow.com/questions/7084482/how-to-save-the-ldap-ssl-certificate-from-openssl
- https://stackoverflow.com/questions/18833524/how-do-i-get-the-ssl-certificate-for-an-ldap-server-using-starttls
- https://docs.microsoft.com/en-us/archive/blogs/askds/troubleshooting-ldap-over-ssl
How can we create a self-signed certificate for testing (without encrypting the private key file)?
openssl req -new -x509 -nodes -out server.crt -keyout server.key
How can we encrypt the private key file?
openssl rsa -des3 -in server.key -out server.key.new && mv server.key.new server.key
How can we create a private key (Triple-DES encrypted and PEM formatted)?
openssl genrsa -des3 -out server.key 1024
How can we create a private key (PEM formatted, but not encrypted)?
openssl genrsa -out server.key 1024
How can we see the details of the private key?
openssl rsa -noout -text -in server.key
How can we create a decrypted PEM version (remove passphrase, not recommended) of the private key?
openssl rsa -in server.key -out server.key.unsecure
How can we create a CSR (certificate signing request, PEM formatted)?
openssl req -new -key server.key -out server.csr
How can we see the details of a CSR?
openssl req -noout -text -in server.csr
How can we setup your own Certificate Authority (CA)?
1. Create a directory on appropriate partition (depends on the number of certificates that you will need to issue, should be outside of your home directory)
2. Within this directory create these directories and files:
mkdir certs crl newcerts private && echo "01" > serial && touch index.txt
3. Edit the openssl.cnf (usually /usr/share/ssl/openssl.cnf) to set the dir variable.
4. Create a private key as explained above
5. Create a CA certificate: openssl req -new -x509 -nodes -sha1 -days 3650 -key cakey.pem -out cacert.crt
6. Put the created CA certificate and key files to appropriate place according to the openssl.cnf file.
7. Edit policy setting (inside openssl.cnf) from policy_match to policy_anything
8. Edit the req_distinguished_name section to allow multiple Common Name (CN) and subjectAltName:
0.commonName = "First Common Name"
0.commonName_default = "www.domain.com"
0.commonName_max = 64
1.commonName = "Second Common Name"
1.commonName_default = "www.domain.com"
1.commonName_max = 64
0.subjectAltName = dNSName:domain.com
1.subjectAltName = dNSName:*.domain.com
2.subjectAltName = dNSName:*.*.domain.com
3.subjectAltName = DNS:example.com
4.subjectAltName = DNS:www.example.com
How can we sign a CSR?
openssl ca -out server.crt -infiles server.csr
How can we view the detail of a certificate?
openssl x509 -noout -text -in server.crt
Example of openssl.cnf:
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /root/certificates # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = California
localityName = Locality Name (eg, city)
localityName_default = San Mateo
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Genius.com Inc
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = NetOps
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.rsvp1.com
DNS.2 = *.pxy3.com
DNS.3 = *.pxy4.com
DNS.4 = *.netg1.com
DNS.5 = *.netg4.com
DNS.6 = *.gsv1.com
DNS.7 = *.gsv3.com
DNS.8 = *.rsvp3.com
DNS.9 = *.rsvp4.com
DNS.10 = *.rsvp5.com
DNS.11 = *.gns5.com
DNS.12 = *.genius-network.com
DNS.13 = *.genius-network2.com
DNS.14 = *.gotgenie.com
DNS.15 = *.rsvpgenius.com
DNS.16 = *.gotgenius.com
DNS.17 = *.salesgenius.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
https://docs.indymedia.org/view/Sysadmin/CaCertSsl#HTTP_multiple_domain_names
http://wiki.cacert.org/wiki/VhostsApache
http://wiki.cacert.org/wiki/VhostTaskForce#head-5868dc7fb125370f7ae8931cd77f03aeb966ad53
page revision: 4, last edited: 11 Oct 2021 16:41
